From owner-freebsd-questions Sat Sep 25 2:49: 3 1999 Delivered-To: freebsd-questions@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id 6E12214E81 for ; Sat, 25 Sep 1999 02:48:58 -0700 (PDT) (envelope-from ibjoe@home.com) Received: from c392156-a.cstvl1.sfba.home.com ([24.1.95.226]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with SMTP id <19990925094857.MAWG8520.mail.rdc1.sfba.home.com@c392156-a.cstvl1.sfba.home.com> for ; Sat, 25 Sep 1999 02:48:57 -0700 Message-Id: <2.2.32.19990925095006.006a908c@mail> X-Sender: ibjoe@mail X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 25 Sep 1999 02:50:06 -0700 To: freebsd-questions@FreeBSD.ORG From: Joe Bo Subject: ipfw, natd and RFC1918 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I'm running v3.2 with ipfw and natd on a 2 nic machine as a gateway for a RFC1918 network of windows PCs. I changed the firewall type to "simple", and my internal network could no longer get internet access. of course in rc.firewall I have: $fwcmd add divert natd all from any to any via ${natd_interface} as the first line. The problem was the $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} line from the "simple" firewall prototype, as per the distribution: # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} <------- $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} but is all this necessary? at http://www.bellnetworks.net/cs/showrec.php3?story_id=3 it is stated that # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in recv ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in recv ${oif} is appropriate. My questions: Is it true that $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif} is sufficient to stop (172.16) RFC1918 nets on the outside interface? If so, why is it done by $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} in the FreeBSD distribution example (is there some advantage)? and, as a side question, what is the difference between $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif} and $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif} and $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any recv ${oif} if any (or do they all say the same thing in different ways)? thanks to all who can comment on this... Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message