From owner-freebsd-questions Fri Mar 19 14:47:10 1999 Delivered-To: freebsd-questions@freebsd.org Received: from mailhub.scl.ameslab.gov (mailhub.scl.ameslab.gov [147.155.137.127]) by hub.freebsd.org (Postfix) with ESMTP id 80E3715BF7 for ; Fri, 19 Mar 1999 14:45:44 -0800 (PST) (envelope-from ghelmer@scl.ameslab.gov) Received: from demios.ether.scl.ameslab.gov ([147.155.137.54]) by mailhub.scl.ameslab.gov with esmtp (Exim 1.90 #1) id 10O81d-0007Qe-00; Fri, 19 Mar 1999 16:45:57 -0600 Date: Fri, 19 Mar 1999 16:45:17 -0600 From: Guy Helmer To: Jeff Yeo Cc: "'freebsd-questions@freebsd.org'" Subject: Re: ipfw rule blocking connection In-Reply-To: <8E6C9AEA17A8D2118D6E00A0C99869402AF48A@HERMES.pml.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 19 Mar 1999, Jeff Yeo wrote: > I'm running FreeBSD 2.2.8-RELEASE as a firwall using ipfw > and natd and /etc/rc.firewall as a starting point. I'm using > 192.168.1.0/24 on the internal network, and an Internet > IP address on the external interface. Using ipfw show, I've > noticed that the following rule is blocking replies from the > external interface: > > ipfw add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} I changed the "stop RFC1918 nets on outside interface" rules to on my natd firewall to: ipfw add deny all from 192.168.0.0:255.255.0.0 to any in via ${oif} ipfw add deny all from any to 192.168.0.0:255.255.0.0 out via ${oif} ipfw add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif} ipfw add deny all from any to 172.16.0.0:255.240.0.0 out via ${oif} ipfw add deny all from 10.0.0.0:255.0.0.0 to any in via ${oif} ipfw add deny all from any to 10.0.0.0:255.0.0.0 out via ${oif} > I'm assuming that natd changes the destination address on the > packet and reinjects it into the packet stream. When it hits the > above rule, it appears that there has been a packet received on > ${oif} with a destination of 192.168.1.x and the packet is dropped. > Is this correct? Yes. The changed rules should do the right thing -- they have trapped incoming packets with a source address of 192.168.x.x on my firewall but otherwise allow correct operation with natd. Guy Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science Research Assistant, Ames Laboratory --- ghelmer@scl.ameslab.gov Research Assistant, Dept. of Computer Science --- ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message