Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 29 Apr 2004 16:44:04 -0400
From:      Charles Swiger <cswiger@mac.com>
To:        "Andrea E." <andrea@ae4u.de>
Cc:        freebsd-questions@FreeBSD.org
Subject:   Re: ipfw with NAT and ARP
Message-ID:  <F3B04A14-9A1D-11D8-BC40-003065ABFD92@mac.com>
In-Reply-To: <4091740F.7000908@ae4u.de>
References:  <4091740F.7000908@ae4u.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Apr 29, 2004, at 5:30 PM, Andrea E. wrote:
[ ... ]
> But, I wont so a simple firewall and for this reason, first I want to 
> configure the ICMP-protocol:
>
> ip_ext => External IP-Address
>
> ipfw -f flush
> ipfw add divert natd all from any to any via xl1
> ipfw add allow icmp from $ip_ext to any icmptypes 8 out via xl1
> ipfw add allow icmp from any to $ip_ext icmptypes 0  in via xl1
>
> -> It's not ok. With "ethereal" no pakets are going out (test from an 
> other system, connected with a HUP.)

Add a "ipfw add deny log ip from any to any" and you will be able to 
troubleshoot your own problems much more effectively by checking the 
logging.

Most probably, you'll need to take into account that the IP addresses 
of packets get re-written after being diverted to natd.

> When testing "ping" from external to external IP-Adress of my 
> firewall, the ARP-request: to broadcast Who has xxx.xxx.xxx.xxx? Tell 
> xxx.xxx.xxx.xxx fails
>
> -> seems to have a problem to let ARP through the firewall.
>
> Above -> "ipfw add allow all from any to any" let ARP through the 
> firewall. So I think, thats the configuration of the rest of my 
> computer (like kernel, rc.conf, etc. ist ok)

ARP traffic is subnet-local and is not passed through a routing device, 
such as the NAT'ing firewall you are testing.  If you want to pass 
ARPs, consider using layer-2 bridging instead of layer-3 routing and 
address translation.

> There is a bug:
> After restarting system with above configuration of icmp-protocol no 
> ping-request is going out. After a flush of all rules and configuring 
> of "ipfw add allow all from any to any" ping-request get an answer.

No bug.  There are kernel options which control whether IPFW is 
configured to pass or deny traffic by default.  Consider adding:

options IPFIREWALL_DEFAULT_TO_ACCEPT

...to your kernel config and rebuilding the kernel.

-- 
-Chuck

PS: Cross-posting to multiple groups is better than posting a single 
message twice, and posting just to -questions is usually enough...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F3B04A14-9A1D-11D8-BC40-003065ABFD92>