From owner-freebsd-questions  Fri Aug  6  7:23: 7 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from voyager.fisicc-ufm.edu (ip-46-094.guate.net [200.12.46.94])
	by hub.freebsd.org (Postfix) with ESMTP id 0DEDC14D1D
	for <questions@FreeBSD.ORG>; Fri,  6 Aug 1999 07:23:00 -0700 (PDT)
	(envelope-from obonilla@voyager.fisicc-ufm.edu)
Received: (from obonilla@localhost)
	by voyager.fisicc-ufm.edu (8.9.3/8.9.3) id PAA00937;
	Thu, 5 Aug 1999 15:45:36 -0600 (CST)
	(envelope-from obonilla)
Date: Thu, 5 Aug 1999 15:45:36 -0600
From: "'Oscar Bonilla'" <obonilla@fisicc-ufm.edu>
To: "David B. Aas" <dave@ciminot.com>
Cc: "'Oscar Bonilla'" <obonilla@fisicc-ufm.edu>,
	"'Ray Seals'" <rayseals@midwestis.com>,
	"'Thomas Uhrfelt'" <thomas.uhrfelt@plymovent.se>,
	questions@FreeBSD.ORG
Subject: Re: FW: Need consulting help with v3.2 firewall
Message-ID: <19990805154536.A885@fisicc-ufm.edu>
References: <000801bedf87$92edf580$0fc8a8c0@dave.ciminot.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6i
In-Reply-To: <000801bedf87$92edf580$0fc8a8c0@dave.ciminot.com>; from David B. Aas on Thu, Aug 05, 1999 at 04:12:51PM -0500
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

see comments embedded...

Let me see if I understand your topology...

Inside net: 129.1.1.0/24 

Firewall:  xl0 (129.1.1.?) Inside Interface
	   xl1 (208.149.231.82) Outside Interface

What is 208.149.231.26 ?

Note that you're not using RFC 1918 Addressed on the inside net.
If your IP addresses for the inside are valid (i.e. registered and
visible from the internet) you don't need to use natd. If they are
not valid you should use RFC 1918 Addresses...

From the natd manpage:

     -unregistered_only | -u
                 Only alter outgoing packets with an unregistered source ad-
                 dress.  According to rfc 1918, unregistered source addresses
                 are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

I would suggest deleting all rules and leaving just the natd stuff (if
you need it) and an allow ip from any to any. See if that works (also
try ping). If it doesn't you've crossed out the ruleset as a possible
cause of trouble.  Something else is misconfigured. If it does work,
change the ruleset to deny ip from any to any and slowly start adding
rules until you have everything working.

Regards,

-Oscar


-- 
For PGP Public Key: finger obonilla@fisicc-ufm.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message