From owner-freebsd-questions  Sun Jan  7 17:29:45 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id BC2D937B6A2
	for <freebsd-questions@freebsd.org>; Sun,  7 Jan 2001 17:27:27 -0800 (PST)
Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Sun, 7 Jan 2001 17:25:36 -0800
Received: (from cjc@localhost)
	by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id f081RHP53592;
	Sun, 7 Jan 2001 17:27:17 -0800 (PST)
	(envelope-from cjc)
Date: Sun, 7 Jan 2001 17:27:11 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: blaz <blaz@satx.rr.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: firewall problems
Message-ID: <20010107172711.B95729@rfx-64-6-211-149.users.reflexco>
Reply-To: cjclark@alum.mit.edu
References: <3A58E5D1.69A6D302@satx.rr.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <3A58E5D1.69A6D302@satx.rr.com>; from blaz@satx.rr.com on Sun, Jan 07, 2001 at 03:55:29PM -0600
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, Jan 07, 2001 at 03:55:29PM -0600, blaz wrote:

Seems like I've seen this a few times.

> I added the following to my kernel and rebuilt:
> 
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=100
> options IPDIVERT
> 
> 
> then I added to /etc/rc.conf:
> 
> gateway_enable="YES"
> firewall_enable="YES"
> natd_enable="YES"
> natd_interface="xl0"          # my NIC connected to cable modem
> natd_flags="-dynamic"
> firewall_script="/etc/rc.firewall.new"

OK.

[snip]

> I will supply the rules at the end, in case it is -- I am going
> by an article I read on bsdtoday.com..  anyway here is what
> I supplied:
> 
> 
> fwcmd="/sbin/ipfw"      #leave as is if using ipfw
> oif="xl0"                    #set to outside interface name
> onwr="255.255.255.0" #set to outside network range
>                                   I am not sure about this..

It's never used in the rules below, so it doesn't matter what you do
with this. But if it is meant to be like ${inwr}, it should probably
be the network and not just the netmask.

> oip="my ip"               #set to outside ip address
>                                I use DHCP, but supplied current IP
>                                this has to be wrong

If you need an IP for your rules, you will need to do this
automatically.

> iif="xl1"                         #set to internal interface name
> inwr="192.168.2/24"        #set to internal network range

This will not work how you expect. Try,

  inwr="192.168.2.0/24"

Read inet_network(3) if you want to know why. Although,

  inwr="192.168.512/24"

Should work if you want to use three-dot notation.

This _might_ be your problem. Also, output of 'ipfw show' is always
very helpful to see how the rules actually get loaded.

> iip="192.168.2.1"             #set to internal ip address
> ns1="my name server"     #set to primary name server best if = oif
> ntp="clock.isc.org"          #set to ip of NTP server or leave as is

[snip]

Try fixing that and see if it helps.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message