Date: Sat, 25 Sep 1999 18:48:26 +0300 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: Joe Bo <ibjoe@home.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: ipfw, natd and RFC1918 Message-ID: <19990925184826.A46826@relay.ucb.crimea.ua> In-Reply-To: <2.2.32.19990925095006.006a908c@mail>; from Joe Bo on Sat, Sep 25, 1999 at 02:50:06AM -0700 References: <2.2.32.19990925095006.006a908c@mail>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Joe!
This is a known problem -- take a look at PR conf/13769.
I will make sure to commit the patch I suggested sometimes
next week. BTW, thanks for reminding me!!!
On Sat, Sep 25, 1999 at 02:50:06AM -0700, Joe Bo wrote:
> Hi,
>
> I'm running v3.2 with ipfw and natd on a 2 nic machine
> as a gateway for a RFC1918 network of windows PCs.
>
> I changed the firewall type to "simple", and my internal
> network could no longer get internet access.
>
> of course in rc.firewall I have:
> $fwcmd add divert natd all from any to any via ${natd_interface}
> as the first line.
>
> The problem was the
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> line from the "simple" firewall prototype, as per the distribution:
>
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} <-------
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
>
> but is all this necessary? at
> http://www.bellnetworks.net/cs/showrec.php3?story_id=3
> it is stated that
>
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in recv ${oif}
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif}
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in recv ${oif}
>
> is appropriate.
>
> My questions:
>
> Is it true that
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif}
> is sufficient to stop (172.16) RFC1918 nets on the outside interface?
>
> If so, why is it done by
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> in the FreeBSD distribution example (is there some advantage)?
>
> and, as a side question, what is the difference between
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in recv ${oif}
> and
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif}
> and
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any recv ${oif}
> if any (or do they all say the same thing in different ways)?
>
> thanks to all who can comment on this...
>
> Joe
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
--
Ruslan Ermilov Sysadmin and DBA of the
ru@ucb.crimea.ua United Commercial Bank,
ru@FreeBSD.org FreeBSD committer,
+380.652.247.647 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990925184826.A46826>