Date: Fri, 02 Jul 1999 20:59:25 -1000 From: "Art Neilson, KH7PZ" <art@hawaii.rr.com> To: Arcady Genkin <a.genkin@utoronto.ca> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd and ipfw Message-ID: <3.0.6.32.19990702205925.032d20a0@clients1.hawaii.rr.com> In-Reply-To: <87u2rmryss.fsf@main.wgaf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
What do your firewall rules look like? Did you write any yet?
You may want to set firewall_enable="YES" and firewall_type="OPEN"
in your /etc/rc.conf.local or whatever you call your rc.conf
overrides file. After you are sure the nework itself is solid
you can start battening down the hatches by coding up /etc/rc.firewall
and setting firewall_type="simple" or whatevers matches your rc.firewall
script.
At 03:13 AM 7/3/99 -0400, you wrote:
>Hi all:
>
>I've attempted to configure ipfirewalling/masquerading on an FreeBSD
>3.2-Release. Here's what I did:
>
>options IPFIREWALL
>options IPFIREWALL_VERBOSE
>options IPDIVERT
>
>then I added in /etc/rc.conf:
>
>gateway_enable="YES"
>ipfw add allow all from any to any
>#I'll play with this later
>
>then I rebooted and ran "natd -interface ed0"
>
>I have 2 computers in my network -- the firewall named "door" 192.168.1.1
and a
>workstation named "main" 192.168.1.2. "door" is connected to internet
>via ed1 (ADSL connection with dhclient), and is able to ping, telnet,
>ftp, etc. both into the internet and into "main". It connects to main
>via ed0.
>
>"main" is able to connect to "door" in any possible method
>(i.e. internal tcp/ip link works OK). It runs Linux 2.2.10, and I'm telling
>it to use "door" as its router:
>
>ifconfig eth0 192.168.1.2 netmask 255.255.255.0 up
>route add -net 192.168.1.0 netmask 255.255.255.0 eth0
>route add default gw 192.168.1.1 eth0
>
>However, "main" is unable to ping anything in the internet. I get the
>feeling that it routes packets out correctly, because if I ping
>something, then the nic on "door" flashes LEDs.
>
>Can somebody think of something that I'm doing wrong? Thanks a lot in
advance!
>
>Here's output of netstat -r and netstat -i on "door":
>
>Routing tables
>
>Internet:
>Destination Gateway Flags Refs Use Netif Expire
>default HSE-TOR-ppp22711.s UGSc 1 17 ed1
>localhost localhost UH 1 0 lo0
>192.168.1 link#1 UC 0 0 ed0
>main 0:80:c8:f2:c6:14 UHLW 0 5 ed0 1191
>209.226.71 link#2 UC 0 0 ed1
>HSE-TOR-ppp22711.s 0:90:6f:fc:f8:20 UHLW 2 0 ed1 736
>HSE-TOR-ppp22919.s localhost UGHS 0 0 lo0
>
>Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
>ed0 1500 <Link> 00.80.c8.ec.0f.39 47 0 13 0 0
>ed0 1500 192.168.1 door 47 0 13 0 0
>ed1 1500 <Link> 52.54.4c.17.c9.5c 17 0 52 0 0
>ed1 1500 209.226.71 HSE-TOR-ppp2291 17 0 52 0 0
>lo0 16384 <Link> 0 0 0 0 0
>lo0 16384 127 localhost 0 0 0 0 0
>
>=========
>Here's output of the same commands on "main":
>
>Kernel IP routing table
>Destination Gateway Genmask Flags MSS Window irtt
Iface
>localnet * 255.255.255.0 U 0 0 0 eth0
>localnet * 255.255.255.0 U 0 0 0 eth0
>default door.wgaf.net 0.0.0.0 UG 0 0 0 eth0
>
>Kernel Interface table
>Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP
TX-OVR Flg
>eth0 1500 0 4562 0 0 0 12075 3 0
0 BRU
>lo 3924 0 11 0 0 0 11 0 0
0 LRU
>
>--
>Arcady Genkin
>"... without money one gets nothing in this world, not even a certificate
>of eternal blessedness in the other world..." (S. Kierkegaard)
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>
--
__
/ ) _/_ It is a capital mistake to theorise before one has data.
/--/ __ / Insensibly one begins to twist facts to suit theories,
/ (_/ (_<__ Instead of theories to suit facts.
-- Sherlock Holmes, "A Scandal in Bohemia"
Arthur W. Neilson III, KH7PZ
Bank of Hawaii Tech Support
art@hawaii.rr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.6.32.19990702205925.032d20a0>