Date: Thu, 04 Oct 2001 08:20:37 GMT From: daniel.fairs@spiderplant.net To: freebsd-questions@freebsd.org Subject: Firewalling again Message-ID: <20011004082037.44746.qmail@bonsai.spiderplant.net>
next in thread | raw e-mail | index | archive | help
Hi All, Apologies if this message appears twice, but my normal SMTP server appears to have died. Right... Hi, I have a firewall box with three NICs, xl0 (internal), xl1 (DMZ - public servers), and xl2 (DSL connection). I only added the single machine (the mailserver) in the DMZ today - the public and private interfaces have worked and continue to work happily. However, I am having trouble formulating rules for the machine on the DMZ. The network configuration is such that I have a 192.168.0.0/24 on xl0, 213.2.28.70/29 on xl2 (defaultrouter is 213.2.28.65, the DSL box) and 213.2.28.69/30 on xl1. The mailserver has IP 213.2.28.68/30. Here's my current attempt (the lines before rule 500 are those I've added) thor# ipfw s 00010 0 0 allow tcp from any to 213.2.28.68 25 setup 00020 0 0 allow tcp from 213.2.28.68 to any setup 00030 0 0 allow tcp from any to any via xl1 established 00040 79 6636 allow icmp from any to any via xl1 00500 19302090 11240110875 divert 8668 ip from any to any via xl2 00600 0 0 check-state 00700 135 42478 deny log logamount 100 ip from 10.0.0.0/8 to any in recv xl2 00800 52 17671 deny log logamount 100 ip from 172.16.0.0/12 to any in recv xl2 00810 148 72141 deny log logamount 100 ip from 192.168.0.0/16 to any in recv xl2 01100 14534 1261038 allow icmp from any to any 01500 354781 54370955 allow udp from any to any keep-state via xl0 01550 37298975 22388737248 allow tcp from any to any established 01800 474155 23294472 allow tcp from 213.2.28.64/29 to any setup 01900 95864 7130172 allow udp from 213.2.28.64/29 to any keep-state 02000 472803 23236256 allow tcp from any to any via xl0 setup 65535 10191 919453 deny ip from any to any Now, when I do a ping from the mailserver to the DMZ NIC on the firewall while running tcpdump on xl1 on the firewall, I see: thor# tcpdump -n -i xl1 tcpdump: listening on xl1 17:59:30.661254 213.2.28.68 > 213.2.28.69: icmp: echo request 17:59:31.671257 213.2.28.68 > 213.2.28.69: icmp: echo request 17:59:32.681251 213.2.28.68 > 213.2.28.69: icmp: echo request 17:59:33.691274 213.2.28.68 > 213.2.28.69: icmp: echo request ^C 5 packets received by filter 0 packets dropped by kernel ... and of course, no replies. Why is the firewall not replying? Surely rule 40 should permit it to? I take it that everything relating to the DMZ *does* have to live before the line that feeds things into NAT... (btw, this is a prelimiary config - I know there are several things that need tightening up.) Any thoughts? Cheers, Dan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011004082037.44746.qmail>