Date: Thu, 4 Oct 2001 13:30:58 +0200 From: "Patrick O'Reilly" <patrick@mip.co.za> To: "FreeBSD Question List" <freebsd-questions@freebsd.org>, <daniel.fairs@spiderplant.net> Subject: RE: Firewalling again Message-ID: <NDBBIMKICMDGDMNOOCAIAEOGDJAA.patrick@mip.co.za> In-Reply-To: <20011004082037.44746.qmail@bonsai.spiderplant.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel, Before we even touch the firewall rules, it looks like your subnets are all mixed up. That will stop things from working! You mention 213.2.28.70/29 on xl2. That means the network runs from .64 to .71. Then you say you have 213.2.28.69/30 on xl1. That indicates a network from .68 to .71. These overlap - BAD! Also, your mailserver, if it is configured as you say (213.2.28.68/30) is on an invalid IP, as .68 is the ip of the subnet - it is not valid for a host. If you give me your subnets allocated by your ISP, I'll send info about how to set the interfaces in rc.conf. Your ISP should have given you a subnet for the DMZ (probably the /29 you mentioned), and you should have another subnet (a /30) for the DSL connection. Patrick. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of daniel.fairs@spiderplant.net Sent: 04 October 2001 10:21 To: freebsd-questions@FreeBSD.ORG Subject: Firewalling again Hi All, Apologies if this message appears twice, but my normal SMTP server appears to have died. Right... Hi, I have a firewall box with three NICs, xl0 (internal), xl1 (DMZ - public servers), and xl2 (DSL connection). I only added the single machine (the mailserver) in the DMZ today - the public and private interfaces have worked and continue to work happily. However, I am having trouble formulating rules for the machine on the DMZ. The network configuration is such that I have a 192.168.0.0/24 on xl0, 213.2.28.70/29 on xl2 (defaultrouter is 213.2.28.65, the DSL box) and 213.2.28.69/30 on xl1. The mailserver has IP 213.2.28.68/30. Here's my current attempt (the lines before rule 500 are those I've added) thor# ipfw s 00010 0 0 allow tcp from any to 213.2.28.68 25 setup 00020 0 0 allow tcp from 213.2.28.68 to any setup 00030 0 0 allow tcp from any to any via xl1 established 00040 79 6636 allow icmp from any to any via xl1 00500 19302090 11240110875 divert 8668 ip from any to any via xl2 00600 0 0 check-state 00700 135 42478 deny log logamount 100 ip from 10.0.0.0/8 to any in recv xl2 00800 52 17671 deny log logamount 100 ip from 172.16.0.0/12 to any in recv xl2 00810 148 72141 deny log logamount 100 ip from 192.168.0.0/16 to any in recv xl2 01100 14534 1261038 allow icmp from any to any 01500 354781 54370955 allow udp from any to any keep-state via xl0 01550 37298975 22388737248 allow tcp from any to any established 01800 474155 23294472 allow tcp from 213.2.28.64/29 to any setup 01900 95864 7130172 allow udp from 213.2.28.64/29 to any keep-state 02000 472803 23236256 allow tcp from any to any via xl0 setup 65535 10191 919453 deny ip from any to any Now, when I do a ping from the mailserver to the DMZ NIC on the firewall while running tcpdump on xl1 on the firewall, I see: thor# tcpdump -n -i xl1 tcpdump: listening on xl1 17:59:30.661254 213.2.28.68 > 213.2.28.69: icmp: echo request 17:59:31.671257 213.2.28.68 > 213.2.28.69: icmp: echo request 17:59:32.681251 213.2.28.68 > 213.2.28.69: icmp: echo request 17:59:33.691274 213.2.28.68 > 213.2.28.69: icmp: echo request ^C 5 packets received by filter 0 packets dropped by kernel ... and of course, no replies. Why is the firewall not replying? Surely rule 40 should permit it to? I take it that everything relating to the DMZ *does* have to live before the line that feeds things into NAT... (btw, this is a prelimiary config - I know there are several things that need tightening up.) Any thoughts? Cheers, Dan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIAEOGDJAA.patrick>