From owner-freebsd-questions Sat Sep 25 9:13:56 1999 Delivered-To: freebsd-questions@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 87F7615827 for ; Sat, 25 Sep 1999 09:12:12 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id SAA49257; Sat, 25 Sep 1999 18:48:26 +0300 (EEST) (envelope-from ru) Date: Sat, 25 Sep 1999 18:48:26 +0300 From: Ruslan Ermilov To: Joe Bo Cc: freebsd-questions@FreeBSD.org Subject: Re: ipfw, natd and RFC1918 Message-ID: <19990925184826.A46826@relay.ucb.crimea.ua> Mail-Followup-To: Joe Bo , freebsd-questions@FreeBSD.org References: <2.2.32.19990925095006.006a908c@mail> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <2.2.32.19990925095006.006a908c@mail>; from Joe Bo on Sat, Sep 25, 1999 at 02:50:06AM -0700 X-Operating-System: FreeBSD 3.2-STABLE i386 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Joe! This is a known problem -- take a look at PR conf/13769. I will make sure to commit the patch I suggested sometimes next week. BTW, thanks for reminding me!!! On Sat, Sep 25, 1999 at 02:50:06AM -0700, Joe Bo wrote: > Hi, > > I'm running v3.2 with ipfw and natd on a 2 nic machine > as a gateway for a RFC1918 network of windows PCs. > > I changed the firewall type to "simple", and my internal > network could no longer get internet access. > > of course in rc.firewall I have: > $fwcmd add divert natd all from any to any via ${natd_interface} > as the first line. > > The problem was the > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > line from the "simple" firewall prototype, as per the distribution: > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} <------- > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > > but is all this necessary? at > http://www.bellnetworks.net/cs/showrec.php3?story_id=3 > it is stated that > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in recv ${oif} > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in recv ${oif} > > is appropriate. > > My questions: > > Is it true that > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif} > is sufficient to stop (172.16) RFC1918 nets on the outside interface? > > If so, why is it done by > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > in the FreeBSD distribution example (is there some advantage)? > > and, as a side question, what is the difference between > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif} > and > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif} > and > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any recv ${oif} > if any (or do they all say the same thing in different ways)? > > thanks to all who can comment on this... > > Joe > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message