Date: Mon, 2 Oct 2000 23:41:17 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: TeRrAc <terrac@cloudfactory.org> Cc: FreeBSD IPFW list <freebsd-ipfw@FreeBSD.ORG> Subject: Re: IPFW + NAT, how do I slick this puppy up? Message-ID: <20001002234116.P25121@149.211.6.64.reflexcom.com> In-Reply-To: <Pine.LNX.4.21.0010022049270.17474-100000@stratus.cloudfactory.org>; from terrac@cloudfactory.org on Mon, Oct 02, 2000 at 08:59:06PM -0700 References: <Pine.LNX.4.21.0010022049270.17474-100000@stratus.cloudfactory.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 02, 2000 at 08:59:06PM -0700, TeRrAc wrote: > I have a freebsd 4.0 stable system running IPFW, NAT and DHCP. I want to > make this machine as slick as possible. One thing that is currently > buggered is that I do not have the rc.firewall file setup to automatically > load my rules. My ruleset is minor.. extremely minor. It just allows > everything from one side to the other. I want to be able to allow all > traffic out, but notunsolicited traffic back in (if that makes any > sense. Here is my ruleset.. > 00001 3550449 1697415913 divert 8668 ip from any to any via fxp0 > 00010 5466534 2771367031 allow ip from any to any > 65535 360 38536 deny ip from any to any Just, gateway_enable="YES" natd_enable="YES" natd_interface="fxp0" firewall_enable="YES" firewall_type="open" Does what you have there at boot. > Another problem that I have, and this is all my doing... is whenever the > logical network segments share the same physical network I get messages > on the console like: > Sep 27 19:22:19 hostname /kernel: arp: 10.0.0.52 is on fxp1 but got reply > from xx:xx:xx:xx:xx:xx on fxp0 > I think I know what that means, but aside from putting the physical > cables on different hubs/switches I don't know how to fix it. That /is/ how you fix it. Putting more than one interface of a single host on one collision domain is a misconfiguration. The messages are pointing this out in an indirect way. There also is no point in trying to close up your firewall. If everything is on one LAN, the firewall is not really protecting any machines from the outside. > That last question leads me into my next bit. which is If I want to have > both NAT'd and real-world IP'd machines on the same physical network, how > would I go about doing this? Are you saying that you don't want to do NAT for the "real world" IP addresses behind the firewall/NAT machine? See the 'unregistered_only' flag in ipfw(8). Just do regular old static routing for the registered IPs. But partition yourself to two physical networks before you bother trying to upgrade all of this. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001002234116.P25121>