From owner-freebsd-questions  Thu Aug 17 22:59:33 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 3A00137B424
	for <freebsd-questions@freebsd.org>; Thu, 17 Aug 2000 22:59:30 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Thu, 17 Aug 2000 22:58:19 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id WAA90712;
	Thu, 17 Aug 2000 22:59:23 -0700 (PDT)
	(envelope-from cjc)
Date: Thu, 17 Aug 2000 22:59:23 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: "SILVER, MICHAEL A" <MSILVER@scana.com>
Cc: "'freebsd-questions@FreeBSD.org'" <freebsd-questions@FreeBSD.ORG>
Subject: Re: Problem with FreeBSD behind a firewall
Message-ID: <20000817225922.G28027@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <DBB3921EFE2AD211A81500A0C9B5FE760579457F@msg04.scana.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <DBB3921EFE2AD211A81500A0C9B5FE760579457F@msg04.scana.com>; from MSILVER@scana.com on Thu, Aug 17, 2000 at 12:04:52PM -0400
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, Aug 17, 2000 at 12:04:52PM -0400, SILVER, MICHAEL A wrote:
> I have a situation where my FBSD machine sits behind a hardware firewall and
> is inaccessible from the outside world.  The problem is, it needs to be
> accessible.  The HW firewall is setup to pass all traffic to a specific
> internet IP to the FBSD firewall, but this appears not to be happening, OR
> the FBSD machine is not responding properly.  I need to find out which is
> the problem and correct it.  (I don't have access to the HW firewall)

Sniff (tcpdump) the external interface of the FreeBSD machine,
10.0.0.20. Try to connect to it from the Internet. Watch the tcpdump
output and see if the packets are coming in. 

> FYI:  The FBSD machine also acts as a firewall for a small subnet.  So there
> are actually two firewalls (see diagram below).  Currently everyone on the
> internal net can access the internet successfully.  I am using ifpw and natd
> for this.  Only incoming traffic is failing. 
> 
>    Internet                               FBSD Firewall  
>       o---(public addresses)----o----(10.0.20)-----o----(172.16.1)-----o
>                           HW Firewall                     Internal Net
> 
> My question is this, do I need to assign the valid internet address from the
> HW firewall to the FBSD box so that it can respond to outside requests
> properly?

It's not really up to the FreeBSD box. The "hardware firewall" has to
do all of the work of redirecting addresses if it is doing NAT and not
routing.

> Currently it is dual homed, but with private addresses.  I tried
> using an IP alias, and this made NATD bomb.  Will logging show if traffic is
> actually being passed through the hardware firewall to the FBSD machine?

Like I said, try a tcpdump on the outer interface.

> I would include config files, but I don't currently have access to the
> machine.  If this is where the problem may lie, I will get access.  People
> on the internal net AND on the 10.0.20 net can access the FBSD machine, just
> not people from the internet.

Sounds like it is the configuration of the "hardware firewall."
-- 
Crist J. Clark                           cjclark@alum.mit.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message