From owner-freebsd-security Sun Mar 25 2:11:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 72FEC37B71A for ; Sun, 25 Mar 2001 02:11:22 -0800 (PST) (envelope-from marcr@closed-networks.com) Received: (qmail 42940 invoked by uid 1000); 25 Mar 2001 10:14:52 -0000 Date: Sun, 25 Mar 2001 11:14:52 +0100 From: Marc Rogers To: freebsd-security@FreeBSD.ORG Subject: Re: Message-ID: <20010325111452.A10016@shady.org> References: <200103250434.f2P4YHu06825@mx.bccwa.wa.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <200103250434.f2P4YHu06825@mx.bccwa.wa.edu.au>; from bhutton@bccwa.wa.edu.au on Sun, Mar 25, 2001 at 12:34:17PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Mar 25, 2001 at 12:34:17PM +0800, Benjamin Hutton wrote: > I'm attempting to setup a firewall for our network. The machine is > running 4.2 STABLE. I have the problem that when I enable the firewall > I can not longer ping the outside world. How do I fix this? Ok I have two answers for you..... First of all, you have to tell us if you can connect to the outside world at all. If you cant then I suggest you read http://coombs.anu.edu.au/~avalon/ if you are using ipfilter or http://www.freebsd.org/handbook/firewalls.html if using ipfw I would also suggest reading Practical UNIX & Internet Security, 2nd Edition by Spafford and Garfinkel, published by O'Reilly & Associates aswell as Building Internet Firewalls, 2nd Edition by Zwicky, Chapman and Cooper, also published by O'Reilly & Associates. Your firewall has to specifically allow trafic through or everything is denied. at the very least this means a rule to let everything through so that you can specifically deny traffic you dont want. The next answer is if you can pass through your firewall, but you just cant ping through it, in which case my appologies for stating the obvious above, but you never can tell, and you weren't that clear. I suspect (although until you gives us a little more detail, this is just guesswork), that you have probably set up rfc1918 reserved addresses within your network, using something like ipfilters IPNAT. When you do this normaly you have to specifically enable which traffic you wish to be translated: in the case of IPNAT, a line such as: map ed1 192.168.1.0/24 -> 240.1.0.1/32 portmap tcp/udp 10000:20000 is fine to enable translation of tcp and udp traffic, but if you want icmp traffic, you will need a line like: map ed1 192.168.1.0/24 -> 240.1.0.1/32 Which will enable translation of any protocol that isnt tcp or udp. > > ---------------------------------- > Benjamin Hutton > IT Officer Bunbury Catholic College > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message