From owner-freebsd-security  Wed Jan 15 11:44:21 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id LAA19562
          for security-outgoing; Wed, 15 Jan 1997 11:44:21 -0800 (PST)
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id LAA19555
          for <security@freebsd.org>; Wed, 15 Jan 1997 11:44:14 -0800 (PST)
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <23086(7)>; Wed, 15 Jan 1997 11:43:26 PST
Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177476>; Wed, 15 Jan 1997 11:43:14 -0800
X-Mailer: exmh version 1.6.9 8/22/96
To: Rohit Dube <rohit@cs.umd.edu>
cc: Garrett Wollman <wollman@lcs.mit.edu>, security@freebsd.org
Subject: Re: Firewall and FreeBSD CIDR 
In-reply-to: Your message of "Wed, 15 Jan 1997 08:11:40 PST."
             <199701151611.LAA04783@seine.cs.umd.edu> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 15 Jan 1997 11:43:10 PST
From: Bill Fenner <fenner@parc.xerox.com>
Message-Id: <97Jan15.114314pst.177476@crevenia.parc.xerox.com>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <199701151611.LAA04783@seine.cs.umd.edu>you write:
>External Machine (X.Y.Z.113) / Router

What's this machine's configuration?  What's its netmask on this link?
If its netmask is /27, then you can't get beyond the firewall because the 
router doesn't think it's necessary to send the packets *to* the firewall.  
You can fix this by configuring the router correctly, or by using the 
ARP_PROXYALL kludge on the firewall (sysctl -w net.link.ether.inet.proxyall=1).

  Bill