Date: Thu, 4 Oct 2001 16:39:33 -0400 From: "Oliver, Michael W." <oliver.michael@gargantuan.com> To: 'Daniel Fairs' <daniel.fairs@spiderplant.net>, Patrick O'Reilly <patrick@mip.co.za>, FreeBSD Question List <freebsd-questions@freebsd.org> Subject: RE: Firewalling again Message-ID: <1DA741CA6767A144BAA4F10012536C27A8CA@LKLDDC01.GARGANTUAN.COM>
next in thread | raw e-mail | index | archive | help
If you have a /29, then your network address is 213.2.28.64, and the usuable host addresses are 213.2.28.65-70, and 213.2.28.71 is the broadcast address for that network. If you have any doubts about where the networks break, check out my table at http://michael.gargantuan.com/me/ipsubaddr.htm. I hope this helps. =========== Michael Oliver > -----Original Message----- > From: Daniel Fairs [mailto:daniel.fairs@spiderplant.net] > Sent: Thursday, October 04, 2001 8:53 AM > To: Patrick O'Reilly; FreeBSD Question List; > daniel.fairs@spiderplant.net > Subject: RE: Firewalling again > > > Hi Patrick, > > Yes. I've taken a step back and realised the config is a bit > all over the place. I have been hindered a bit by the > innaccurate documentation of my predecessor, which led to me > being one IP 'out' on everything. Oooops. > > It transpires that we in fact have allocated to us the 8 IPs > 213.2.28.63 to 213.2.28.70 inclusive - on one subnet. So > that's expressed as 213.2.28.63/29, yes? (This whole thing is > not helped by the fact that I'm only just getting to grips > with CIDR notation ;). That gives 213.2.28.63 as the subnet > IP and 213.2.28.70 as the net broadcast address. (Guess I'd > better move the firewall off of .70 then.) > > I guess, then, that I need to talk to my ISP about splitting > the /29 into two /30s? Then I'd have: .63 - subnet 1 IP .64 - > Firewall external IP .65 - DSL Router IP .66 - subnet 1 broadcast > > .67 - subnet 2 IP > .68 - Mailserver IP > .69 - unused > .70 - subnet 2 broadcast > > Does that make sense? Or am I getting the wrong end of the stick? > > Something I find a little concerning in my predecessor's docs > is that our ISP seems to have taken one of our IPs (currently > .64) for 'internal use'. Is this normal? Or do they just have > a weird system? > > T very much IA! > Cheers, > Dan > > > > > -----Original Message----- > > From: Patrick O'Reilly [mailto:patrick@mip.co.za] > > Sent: 04 October 2001 12:31 > > To: FreeBSD Question List; daniel.fairs@spiderplant.net > > Subject: RE: Firewalling again > > > > > > Daniel, > > > > Before we even touch the firewall rules, it looks like your subnets > > are all mixed up. That will stop things from working! > > > > You mention 213.2.28.70/29 on xl2. That means the network > runs from > > .64 to .71. Then you say you have 213.2.28.69/30 on xl1. That > > indicates a network > > from .68 to .71. These overlap - BAD! Also, your > mailserver, if it is > > configured as you say (213.2.28.68/30) is on an invalid IP, as > > .68 is the ip > > of the subnet - it is not valid for a host. > > > > If you give me your subnets allocated by your ISP, I'll send info > > about how to set the interfaces in rc.conf. Your ISP should have > > given you a subnet for the DMZ (probably the /29 you > mentioned), and > > you should have another subnet (a /30) for the DSL connection. > > > > Patrick. > > > > -----Original Message----- > > From: owner-freebsd-questions@FreeBSD.ORG > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of > > daniel.fairs@spiderplant.net > > Sent: 04 October 2001 10:21 > > To: freebsd-questions@FreeBSD.ORG > > Subject: Firewalling again > > > > > > > > Hi All, > > > > Apologies if this message appears twice, but my normal SMTP server > > appears to have died. Right... > > > > Hi, > > > > I have a firewall box with three NICs, xl0 (internal), xl1 (DMZ - > > public servers), and xl2 (DSL connection). I only added the single > > machine (the > > mailserver) in the DMZ today - the public and private > interfaces have > > worked and continue to work happily. However, I am having trouble > > formulating rules for the machine on the DMZ. > > > > The network configuration is such that I have a > 192.168.0.0/24 on xl0, > > 213.2.28.70/29 on xl2 (defaultrouter is 213.2.28.65, the > DSL box) and > > 213.2.28.69/30 on xl1. The mailserver has IP 213.2.28.68/30. > > > > Here's my current attempt (the lines before rule 500 are those I've > > added) > > > > thor# ipfw s > > 00010 0 0 allow tcp from any to > 213.2.28.68 25 setup > > 00020 0 0 allow tcp from 213.2.28.68 to any setup > > 00030 0 0 allow tcp from any to any via > xl1 established > > 00040 79 6636 allow icmp from any to any via xl1 > > 00500 19302090 11240110875 divert 8668 ip from any to any via xl2 > > 00600 0 0 check-state > > 00700 135 42478 deny log logamount 100 ip from > > 10.0.0.0/8 to any > > in recv xl2 > > 00800 52 17671 deny log logamount 100 ip from > 172.16.0.0/12 to > > any in recv xl2 > > 00810 148 72141 deny log logamount 100 ip from > > 192.168.0.0/16 to > > any in recv xl2 > > 01100 14534 1261038 allow icmp from any to any > > 01500 354781 54370955 allow udp from any to any > keep-state via xl0 > > 01550 37298975 22388737248 allow tcp from any to any established > > 01800 474155 23294472 allow tcp from 213.2.28.64/29 to > any setup > > 01900 95864 7130172 allow udp from 213.2.28.64/29 to > any keep-state > > 02000 472803 23236256 allow tcp from any to any via xl0 setup > > 65535 10191 919453 deny ip from any to any > > > > Now, when I do a ping from the mailserver to the DMZ NIC on the > > firewall while running tcpdump on xl1 on the firewall, I see: > > > > thor# tcpdump -n -i xl1 > > tcpdump: listening on xl1 > > 17:59:30.661254 213.2.28.68 > 213.2.28.69: icmp: echo request > > 17:59:31.671257 213.2.28.68 > 213.2.28.69: icmp: echo request > > 17:59:32.681251 213.2.28.68 > 213.2.28.69: icmp: echo request > > 17:59:33.691274 213.2.28.68 > 213.2.28.69: icmp: echo request ^C > > 5 packets received by filter > > 0 packets dropped by kernel > > > > ... and of course, no replies. > > > > Why is the firewall not replying? Surely rule 40 should > permit it to? > > I take it that everything relating to the DMZ *does* have to live > > before the line that feeds things into NAT... > > > > (btw, this is a prelimiary config - I know there are several things > > that need tightening up.) > > > > Any thoughts? > > Cheers, > > Dan > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1DA741CA6767A144BAA4F10012536C27A8CA>