From owner-freebsd-ipfw  Mon Apr 24 18:51:50 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id 890BE37BC7C
	for <freebsd-ipfw@FreeBSD.ORG>; Mon, 24 Apr 2000 18:51:37 -0700 (PDT)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA75148;
	Mon, 24 Apr 2000 21:17:21 -0400 (EDT)
	(envelope-from cjc)
Date: Mon, 24 Apr 2000 21:17:21 -0400
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To: Jordan Blanchard <cybernetik@sympatico.ca>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: Firewall and the general Network
Message-ID: <20000424211721.A75100@cc942873-a.ewndsr1.nj.home.com>
Reply-To: cjclark@home.com
References: <20000424082153.A73579@cc942873-a.ewndsr1.nj.home.com> <NEBBLHFGALIEHENGIGPLGEBCCAAA.cybernetik@sympatico.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <NEBBLHFGALIEHENGIGPLGEBCCAAA.cybernetik@sympatico.ca>; from cybernetik@sympatico.ca on Mon, Apr 24, 2000 at 10:17:16AM -0400
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, Apr 24, 2000 at 10:17:16AM -0400, Jordan Blanchard wrote:
> 
> "Forcing you to use a proxy?" What do you mean?
> 
> 
> well, when trying to view web pages without a proxy program through my 95
> box, it stalls..
> 
> 
> Anyway, could you send,
> 
>   # ipfw show
> 
> 00060 66545 35492707 allow ip from any to any
> 00100     0        0 divert 8668 ip from any to any via tun0
> 00100     0        0 allow ip from any to any via lo0
> 00100     0        0 divert 8668 ip from any to any via tun0
> 00100     0        0 divert 8668 ip from any to any via tun0
> 00200     0        0 deny ip from any to 127.0.0.0/8
> 00210     0        0 deny icmp from any to any via ed0
> 65535    16     1000 deny ip from any to any

As Mike pointed out, these rules make no sense. They are not the
"simple" firewall rules either.

>   # netstat -rn
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags     Refs     Use     Netif
> Expire
> default            216.209.34.1       UGSc       10     9642     tun0
> 1                  link#2             UC          0        0      ed1
> 10.10.10/24        link#1             UC          0        0      ed0
> 10.10.10.12        0:40:5:4d:3d:c8    UHLW        1     2260      ed0    144
> 10.10.10.120       0:80:c8:36:69:ed   UHLW        2     4970      ed0    715
> 127.0.0.1          127.0.0.1          UH          0        2      lo0
> 216.209.34.1       216.209.34.202     UH          9        0     tun0
> 216.209.34.202     127.0.0.1          UH          0        0      lo0

OK.

>   # ifconfig -a
> ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
>         ether 00:20:18:65:a0:9f
> ed1: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1500
>         inet 1.1.1.1 netmask 0xff000000 broadcast 1.255.255.255
>         ether 00:00:c0:df:fb:7f
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
>         inet 216.209.34.202 --> 216.209.34.1 netmask 0xffffff00
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet 127.0.0.1 netmask 0xff000000

OK.

> :And if you are running natd(8) or a routing daemon, the relevant
> :info. Then we can probably help analyze your problem.
> 
>  I've got natd runing, from rc.conf..
> 
>   	138  ??  Is     0:00.00 /sbin/natd -n tun0

If you are doing NAT through PPP, you should probably use the '-nat'
option in ppp(8) rather than the natd(8) daemon.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message