From owner-freebsd-ipfw Thu Jul 5 21:36:51 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.121.12]) by hub.freebsd.org (Postfix) with ESMTP id 865C337B413 for ; Thu, 5 Jul 2001 21:36:48 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.130.102.Dial1.SanJose1.Level3.net [209.245.130.102]) by harrier.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id VAA28452; Thu, 5 Jul 2001 21:36:45 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f664agf02037; Thu, 5 Jul 2001 21:36:42 -0700 (PDT) (envelope-from cjc) Date: Thu, 5 Jul 2001 21:36:42 -0700 From: "Crist J. Clark" To: Robert Banniza Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Still can't get it to work... Message-ID: <20010705213642.B308@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <2059229442.994196674@[192.168.2.94]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from robert@rootprompt.net on Thu, Jul 05, 2001 at 09:55:38PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 05, 2001 at 09:55:38PM -0700, Robert Banniza wrote: > I cannot for the absolute life of me get IPFW to work with three NICS. All I > want to do is to: > > 1) Pass all traffic from internal network (192.168.1.0/24) to go out to 'net > or to the DMZ. > 2) Allow 22,25,53(udp),80,443 traffic in to the DMZ. DMZ is using real IP > addresses (208.53.161.252/30) > 3) Allow no traffic from DMZ to flow back into internal network. > 3) Block external interface from RFC1918 spoofed addresses > > My network is broken up into the following segments: > > xl0 - external interface (208.53.161.248/30) > fxp0 - internal interface (192.168.1.0/24) > fxp1 - optional interface (208.53.161.252/30) > > I'm using default deny which I feel is safest and compensates for human > error more so than default allow. If you can't get it to _work,_ first thing to do is, 00100 divert natd ip from any to any via xl0 00200 pass ip from any to any And make sure that works. If you can't get it to run at all, I'd suspect a routing or interface problem before ipfw(8). ipfw(8) really doesn't care how many NICs you are using. Once you verify it works, remove the 'pass ip any to any' and start placing more and more restrictive rules. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message