From owner-freebsd-questions@FreeBSD.ORG Thu Apr 29 13:44:15 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AAB316A4CE for ; Thu, 29 Apr 2004 13:44:15 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id E962043D41 for ; Thu, 29 Apr 2004 13:44:14 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin07-en2 [10.13.10.152]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id i3TKiBog000905; Thu, 29 Apr 2004 13:44:12 -0700 (PDT) Received: from [10.1.1.193] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0)i3TKiA3Z013134; Thu, 29 Apr 2004 13:44:11 -0700 (PDT) In-Reply-To: <4091740F.7000908@ae4u.de> References: <4091740F.7000908@ae4u.de> Mime-Version: 1.0 (Apple Message framework v613) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Thu, 29 Apr 2004 16:44:04 -0400 To: "Andrea E." X-Mailer: Apple Mail (2.613) cc: freebsd-questions@FreeBSD.org Subject: Re: ipfw with NAT and ARP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2004 20:44:15 -0000 On Apr 29, 2004, at 5:30 PM, Andrea E. wrote: [ ... ] > But, I wont so a simple firewall and for this reason, first I want to > configure the ICMP-protocol: > > ip_ext => External IP-Address > > ipfw -f flush > ipfw add divert natd all from any to any via xl1 > ipfw add allow icmp from $ip_ext to any icmptypes 8 out via xl1 > ipfw add allow icmp from any to $ip_ext icmptypes 0 in via xl1 > > -> It's not ok. With "ethereal" no pakets are going out (test from an > other system, connected with a HUP.) Add a "ipfw add deny log ip from any to any" and you will be able to troubleshoot your own problems much more effectively by checking the logging. Most probably, you'll need to take into account that the IP addresses of packets get re-written after being diverted to natd. > When testing "ping" from external to external IP-Adress of my > firewall, the ARP-request: to broadcast Who has xxx.xxx.xxx.xxx? Tell > xxx.xxx.xxx.xxx fails > > -> seems to have a problem to let ARP through the firewall. > > Above -> "ipfw add allow all from any to any" let ARP through the > firewall. So I think, thats the configuration of the rest of my > computer (like kernel, rc.conf, etc. ist ok) ARP traffic is subnet-local and is not passed through a routing device, such as the NAT'ing firewall you are testing. If you want to pass ARPs, consider using layer-2 bridging instead of layer-3 routing and address translation. > There is a bug: > After restarting system with above configuration of icmp-protocol no > ping-request is going out. After a flush of all rules and configuring > of "ipfw add allow all from any to any" ping-request get an answer. No bug. There are kernel options which control whether IPFW is configured to pass or deny traffic by default. Consider adding: options IPFIREWALL_DEFAULT_TO_ACCEPT ...to your kernel config and rebuilding the kernel. -- -Chuck PS: Cross-posting to multiple groups is better than posting a single message twice, and posting just to -questions is usually enough...