Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Jun 2000 19:51:43 -0700
From:      "Robert M. Shields" <wildcard@bnswest.net>
To:        "Daniel J Cain Jr." <djcain@uswest.net>
Cc:        freebsd-questions@FreeBSD.org
Subject:   Re: DSL / Routing / ipfw issues
Message-ID:  <395AB9BF.C0618989@bnswest.net>
References:  <395A99D5.86C65388@bnswest.net> <003c01bfe16e$5729e9c0$0200a8c0@home.matrix.oss.uswest.net>

next in thread | previous in thread | raw e-mail | index | archive | help
  I had the firewall box enabled as a gateway with NAT onto the 2nd network to
begin with...  ( I guess that was relevant info,  huh? )  I could ping the fxp0
interface from any system on the LAN, but when I tried to reach the 675 on the
doze boxes, the packet would always time out.

   Which is why I was looking into turning the firewall into a network bridge,
to avoid all that hoopla with running NAT twice.  It's my understanding while
acting a a bridge the firewall can just pass packets back and forth between
networks, just as if they were physically connected, without any name
translation or routing needed.   Or should I just say screw it, loose the
firewall and use the NAT and  packet filtering in the 675?

Thanks for the input though,

Robert

"Daniel J Cain Jr." wrote:

> It would strike me that when a packet comes from the WinBox the 675 sees a
> packet with a source IP of 192.x.x.x and it's local interfaces are within
> 10.x.x.x and <some public IP>.  It would not know how to get back to the Win
> Box to respond.  I haven't played with NIC 2 NIC traffic yet (or ipfw), but
> I ran into a problem when I first turned BSD into gateway for NIC 2 ppp it
> wasn't passing traffic between the interfaces.  /etc/rc.conf
> GATEWaY_ENABLE="YES" fixed this though I believe.  With NAT on the 675 I
> would feel comfortable with my systems being secure behind the 675 from any
> traffic that is initiated from the Internet, static ip block though without
> NAT on the 675 would need ipfw though.  Some sort of NAT would have to occur
> on the BSD box (don't know if ipfw does this) to change source IP of packets
> to IP of fxp0, which would then get changed to the IP of wan0-0 on the way
> out to the Internet, all this would have to happen in the reverse (from the
> NAT tables) to get all the way back to the Win Box.
>
> Cain's $.02 worth
>
> ----- Original Message -----
> From: "Robert M. Shields" <wildcard@bnswest.net>
> To: <freebsd-questions@FreeBSD.ORG>
> Sent: Wednesday, June 28, 2000 7:35 PM
> Subject: DSL / Routing / ipfw issues
>
> > Hello,
> >
> > I'm having issues with FreeBSD 3.2 - STABLE and a newly acquired cisco
> > 675 DSL router.   What I'm trying to do is drop the BSD box in-between
> > the 675 & my network to act as an ip firewall, with the topology looking
> > like such:
> >
> >  --------                     ---------
> > -------                      -----
> > | MyLan| -------  pn0 | IPFW  | fxp0 ----- eth0| Cisco|wan0-0  -----|
> > ISP|
> > ---------                    ---------
> > -------                     ------
> >
> > My lan has 3 other systems connected 2 windoze clients & a FBSD
> > 3.2-stable Box providing DNS (as a shadow domain ) HTTP, FTP & telnet
> > services.   The DNS is configured to provide lookups for my own shadow
> > domain, and forward anything else onto the ISP's DNS.
> >
> > pn0 has a internal ip address of 192.168.123.3
> > fxp0 has an external (to my client network) ip of 10.0.0.1
> > eth0 has an ip of 10.0.0.2
> > wan0-0 is set to DHCP an address from my ISP.
> >
> > Oh and the 675 is setup for NAT.
> >
> > What I'd like to know are what is the best (i.e. simplest) possible
> > configurations for my ipfw in this situation.   Would it be better to
> > bridge the two networks together and have ipfw filter packets or can
> > this be done easily by routing packets between the two interfaces?
> >
> >   I had routing setup to begin with and was able to ping the 675 from my
> > FreeBSD box (ip 192.168.123.1)  but when I tried to ping the 675 from
> > both of  my windoze systems, the packets timed out.   (Yes, I had the
> > default gateway address  of 192.168.123.3 setup in the windoze
> > networking config.)
> >
> > Also, what should the cisco's & the firewalls routing tables look like
> > with this setup?
> >
> > I've read the online tutorials at freebsd.org & mostgraveconcern.com
> > (the cheat sheets), as well as relevant info in "TCP/IP networking" &
> > "Building Internet Firewalls"  both by O'reilly, but it seems I'm on on
> > information overload right now <breathing deeply>...  ...
> >
> > Oh and my rc.firewall script looks almost similar to the one from the
> > cheatsheets.  I'll post it if you need it.
> >
> > Any help is greatly appreciated.
> >
> > Thanks,
> >
> > Robert M. Shields
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> >



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?395AB9BF.C0618989>