Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 7 Jan 2001 17:27:11 -0800
From:      "Crist J. Clark" <cjclark@reflexnet.net>
To:        blaz <blaz@satx.rr.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: firewall problems
Message-ID:  <20010107172711.B95729@rfx-64-6-211-149.users.reflexco>
In-Reply-To: <3A58E5D1.69A6D302@satx.rr.com>; from blaz@satx.rr.com on Sun, Jan 07, 2001 at 03:55:29PM -0600
References:  <3A58E5D1.69A6D302@satx.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Jan 07, 2001 at 03:55:29PM -0600, blaz wrote:

Seems like I've seen this a few times.

> I added the following to my kernel and rebuilt:
> 
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=100
> options IPDIVERT
> 
> 
> then I added to /etc/rc.conf:
> 
> gateway_enable="YES"
> firewall_enable="YES"
> natd_enable="YES"
> natd_interface="xl0"          # my NIC connected to cable modem
> natd_flags="-dynamic"
> firewall_script="/etc/rc.firewall.new"

OK.

[snip]

> I will supply the rules at the end, in case it is -- I am going
> by an article I read on bsdtoday.com..  anyway here is what
> I supplied:
> 
> 
> fwcmd="/sbin/ipfw"      #leave as is if using ipfw
> oif="xl0"                    #set to outside interface name
> onwr="255.255.255.0" #set to outside network range
>                                   I am not sure about this..

It's never used in the rules below, so it doesn't matter what you do
with this. But if it is meant to be like ${inwr}, it should probably
be the network and not just the netmask.

> oip="my ip"               #set to outside ip address
>                                I use DHCP, but supplied current IP
>                                this has to be wrong

If you need an IP for your rules, you will need to do this
automatically.

> iif="xl1"                         #set to internal interface name
> inwr="192.168.2/24"        #set to internal network range

This will not work how you expect. Try,

  inwr="192.168.2.0/24"

Read inet_network(3) if you want to know why. Although,

  inwr="192.168.512/24"

Should work if you want to use three-dot notation.

This _might_ be your problem. Also, output of 'ipfw show' is always
very helpful to see how the rules actually get loaded.

> iip="192.168.2.1"             #set to internal ip address
> ns1="my name server"     #set to primary name server best if = oif
> ntp="clock.isc.org"          #set to ip of NTP server or leave as is

[snip]

Try fixing that and see if it helps.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010107172711.B95729>