From owner-freebsd-net@FreeBSD.ORG Sun Mar 12 14:27:05 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF74F16A400 for ; Sun, 12 Mar 2006 14:27:05 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63CB343D46 for ; Sun, 12 Mar 2006 14:27:05 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id D2E695CF3; Sun, 12 Mar 2006 09:27:04 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49987-10; Sun, 12 Mar 2006 09:27:04 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-129-91.ny325.east.verizon.net [68.161.129.91]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id D7FE75CB3; Sun, 12 Mar 2006 09:27:03 -0500 (EST) Message-ID: <44142FB9.40009@mac.com> Date: Sun, 12 Mar 2006 09:27:05 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Dave Johnson References: <002b01c645dd$cc6a3800$5b00a8c0@laptop> In-Reply-To: <002b01c645dd$cc6a3800$5b00a8c0@laptop> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-net@freebsd.org Subject: Re: IPFW problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Mar 2006 14:27:05 -0000 Dave Johnson wrote: > Hi all > > I am having a problem with ipfw. > > Please have a look at www.pastebin.com/597707 > > I could not ping anything so I hashed out line 62 & 70 > > Now I can ping 192.168.0.2 but not 192.168.0.1. > > Also browsing and email is not working. Um. Your IPFW rules don't seem to make a whole lot of sense [1], but I would imagine the specific problem is: 53 $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif ...try adding the log keyword to each deny line and you will get more useful information from the packet filter rules. -- -Chuck [1]: Please re-examine the sample rulesets in /etc/rc.firewall, and be aware that you need to adjust your anti-spoofing rules if you actually use RFC-1918 unroutable subnets, which you seem to be doing. The fact that your "external interface" is pointing to a 192.168.0.1 default router means that some other device is already doing NAT, so you should possibly re-evaluate doing NAT on the FreeBSD system as well. Chaining multiple levels of NAT translation together is generally painful without even considering the difficulty of setting up sane firewall rules to describe the topology.