From owner-freebsd-ipfw Thu Jul 5 19:53:30 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from isotope.rootprompt.net (mail.rootprompt.net [208.53.161.253]) by hub.freebsd.org (Postfix) with ESMTP id 3C24E37B409 for ; Thu, 5 Jul 2001 19:53:28 -0700 (PDT) (envelope-from robert@rootprompt.net) From: "Robert Banniza" To: Subject: Still can't get it to work... Date: Thu, 5 Jul 2001 21:55:38 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit In-Reply-To: <2059229442.994196674@[192.168.2.94]> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I cannot for the absolute life of me get IPFW to work with three NICS. All I want to do is to: 1) Pass all traffic from internal network (192.168.1.0/24) to go out to 'net or to the DMZ. 2) Allow 22,25,53(udp),80,443 traffic in to the DMZ. DMZ is using real IP addresses (208.53.161.252/30) 3) Allow no traffic from DMZ to flow back into internal network. 3) Block external interface from RFC1918 spoofed addresses My network is broken up into the following segments: xl0 - external interface (208.53.161.248/30) fxp0 - internal interface (192.168.1.0/24) fxp1 - optional interface (208.53.161.252/30) I'm using default deny which I feel is safest and compensates for human error more so than default allow. I have looked on the web for a DMZ HOWTO and can't find one. Would any of you have rules that do this? I'm about ready to say fuck it and stick with the Firebox. Guys, I certainly would appreciate any help with rules on this. I'm tired of fighting with this thing. Robert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message