Date: Thu, 28 Jun 2001 22:09:15 -0700 From: "Robert Banniza" <robert@rootprompt.net> To: <freebsd-questions@FreeBSD.ORG> Subject: ipfw and triple-home machine using natd Message-ID: <GMEDKMKMEBENJMBLDHAIAEEFDPAA.robert@rootprompt.net> In-Reply-To: <3B3BECAF.262E56F4@gerhardt-it.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Guys, I'm wanting to take my http://www.rootprompt.net/freebsd_firewall.html site a step further by adding a DMZ to this setup. Basically what I have is a machine with xl0 being the external interface, fxp0 being the DMZ and fxp1 being the internal interface. However, I'm seeing fxp0 and fxp01 having the same IRQ (IRQ 10). I can ping all of the interfaces from the firewall itself but no traffic is being passed from the nat'ed side (fxp1) or the DMZ side (fxp0). Could the problem be the same IRQs on fxp0 and fxp1?!?! This is REALLY bothering me as I'm not having any luck. I have been using a Firebox for the past 2 years and it has somewhat spoiled me. However, it doesn't have the flexibility that I need with IPFW. Does anyone know where there is a DMZ HOWTO for three interfaces rather than two? Here are the rules that I have which have worked fine in the past with a dual-home setup: # External Interface Network, Netmask and IP oif="xl0" onet="24.6.44.0" omask="255.255.255.0" oip="24.6.44.82" # Internal Interface Network, Netmask and IP iif="fxp1" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.1" # Set DNS and NTP addresses dns1="24.2.7.33" dns2="24.2.7.34" ntp1="x.x.x.x" # Stop Spoofing $fwcmd add 110 deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add 110 deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface $fwcmd add 120 deny log all from 192.168.0.0:255.255.0.0 to any in recv ${oif} $fwcmd add 120 deny log all from 172.16.0.0:255.240.0.0 to any in recv ${oif} $fwcmd add 120 deny log all from 10.0.0.0:255.0.0.0 to any in recv ${oif} # Allow any ip (tcp and udp) packets to go out the outside interface $fwcmd add 130 pass all from any to any out xmit ${oif} # Allow any ip (tcp and udp) packets to pass on the inside interface $fwcmd add 140 pass all from any to any via ${iif} # Allow established tcp connections from outside interface $fwcmd add 150 pass tcp from any to any in recv ${oif} established # To run smtp on 25, ssh on 22, and apache on 80 & 443 # $fwcmd add 200 pass tcp from any to ${oip} 25 $fwcmd add 300 pass log tcp from 34.23.12.62 to ${oip} 22 in recv ${oif} setup # $fwcmd add 350 pass tcp from any to ${oip} 80 $fwcmd add 350 pass tcp from 34.23.12.62 to any 80 # To run Icecast on 8000 $fwcmd add 360 pass tcp from 34.23.12.62 to any 8000 # To run Dialpad $fwcmd add 360 pass udp from 4.2.40.0/24 to any 51200 $fwcmd add 360 pass udp from 4.2.42.0/24 to any 51200 $fwcmd add 360 pass udp from 4.2.46.0/24 to any 51200 $fwcmd add 360 pass udp from 4.2.67.0/24 to any 51200 $fwcmd add 360 pass udp from 4.2.54.0/24 to any 51200 $fwcmd add 360 pass udp from 4.2.64.0/24 to any 51200 $fwcmd add 360 pass udp from 4.2.68.0/24 to any 51200 $fwcmd add 360 pass udp from 4.2.74.0/24 to any 51200 $fwcmd add 360 pass udp from 63.74.89.0/24 to any 51200 $fwcmd add 360 pass udp from 209.191.173.0/24 to any 51200 $fwcmd add 360 pass udp from 216.52.249.0/24 to any 51200 $fwcmd add 360 pass udp from 4.2.40.0/24 to any 51201 $fwcmd add 360 pass udp from 4.2.42.0/24 to any 51201 $fwcmd add 360 pass udp from 4.2.46.0/24 to any 51201 $fwcmd add 360 pass udp from 4.2.67.0/24 to any 51201 $fwcmd add 360 pass udp from 4.2.54.0/24 to any 51201 $fwcmd add 360 pass udp from 4.2.64.0/24 to any 51201 $fwcmd add 360 pass udp from 4.2.68.0/24 to any 51201 $fwcmd add 360 pass udp from 4.2.74.0/24 to any 51201 $fwcmd add 360 pass udp from 63.74.89.0/24 to any 51201 $fwcmd add 360 pass udp from 209.191.173.0/24 to any 51201 $fwcmd add 360 pass udp from 216.52.249.0/24 to any 51201 $fwcmd add 360 pass tcp from 4.2.40.0/24 to any 51210 $fwcmd add 360 pass tcp from 4.2.42.0/24 to any 51210 $fwcmd add 360 pass tcp from 4.2.46.0/24 to any 51210 $fwcmd add 360 pass tcp from 4.2.67.0/24 to any 51210 $fwcmd add 360 pass tcp from 4.2.54.0/24 to any 51210 $fwcmd add 360 pass tcp from 4.2.64.0/24 to any 51210 $fwcmd add 360 pass tcp from 4.2.68.0/24 to any 51210 $fwcmd add 360 pass tcp from 4.2.74.0/24 to any 51210 $fwcmd add 360 pass tcp from 63.74.89.0/24 to any 51210 $fwcmd add 360 pass tcp from 209.191.173.0/24 to any 51210 $fwcmd add 360 pass tcp from 216.52.249.0/24 to any 51210 # Deny and log setup of tcp connections from outside interface $fwcmd add 400 deny log tcp from any to any in recv ${oif} setup # Allow replies to DNS queries from outside interface # $fwcmd add 410 pass udp from ${dns1} 53 to any 1024-65535 in recv ${oif} # $fwcmd add 420 pass udp from ${dns2} 53 to any 1024-65535 in recv ${oif} $fwcmd add 430 pass tcp from any 53 to ${inet}:${imask} $fwcmd add 430 pass udp from any 53 to ${inet}:${imask} # Allow any ICMP packets to pass on inside interface $fwcmd add 1000 pass icmp from any to any via ${iif} # Allow outbound pings $fwcmd add 1010 pass icmp from any to any in recv ${oif} icmptypes 0 $fwcmd add 1010 pass icmp from any to any out xmit ${oif} icmptypes 8 # Allow outbound traceroutes $fwcmd add 1020 pass icmp from any to any in recv ${oif} icmptypes 3 $fwcmd add 1020 pass icmp from any to any in recv ${oif} icmptypes 11 # Everything else is denied by default $fwcmd add 65532 deny udp from any to any $fwcmd add 65533 deny icmp from any to any $fwcmd add 65534 deny log ip from any to any My natd.conf is very simple: # Webserver redirects redirect_port tcp 192.168.1.3:80 80 redirect_port tcp 192.168.1.3:8000 8000 # This is for Dialpad redirect_port tcp 192.168.1.2:51210 51210 redirect_port udp 192.168.1.2:51201 51201 redirect_port udp 192.168.1.2:51200 51200 I have done all of the proper recompiling, etc and rc.conf should be setup accordingly. Any help appreciated. Robert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?GMEDKMKMEBENJMBLDHAIAEEFDPAA.robert>