Date: Sat, 25 Sep 1999 02:50:06 -0700 From: Joe Bo <ibjoe@home.com> To: freebsd-questions@FreeBSD.ORG Subject: ipfw, natd and RFC1918 Message-ID: <2.2.32.19990925095006.006a908c@mail>
next in thread | raw e-mail | index | archive | help
Hi,
I'm running v3.2 with ipfw and natd on a 2 nic machine
as a gateway for a RFC1918 network of windows PCs.
I changed the firewall type to "simple", and my internal
network could no longer get internet access.
of course in rc.firewall I have:
$fwcmd add divert natd all from any to any via ${natd_interface}
as the first line.
The problem was the
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
line from the "simple" firewall prototype, as per the distribution:
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} <-------
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
but is all this necessary? at
http://www.bellnetworks.net/cs/showrec.php3?story_id=3
it is stated that
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in recv ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in recv ${oif}
is appropriate.
My questions:
Is it true that
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif}
is sufficient to stop (172.16) RFC1918 nets on the outside interface?
If so, why is it done by
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
in the FreeBSD distribution example (is there some advantage)?
and, as a side question, what is the difference between
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif}
and
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif}
and
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any recv ${oif}
if any (or do they all say the same thing in different ways)?
thanks to all who can comment on this...
Joe
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2.2.32.19990925095006.006a908c>