From owner-freebsd-ipfw Fri Nov 10 13:13: 9 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id 46ED337B479; Fri, 10 Nov 2000 13:13:00 -0800 (PST) Received: from [128.130.111.75] (procyon [128.130.111.75]) by vexpert.dbai.tuwien.ac.at (8.9.3/8.9.3) with ESMTP id WAA15847; Fri, 10 Nov 2000 22:12:57 +0100 (MET) Date: Fri, 10 Nov 2000 22:13:00 +0100 (CET) From: Toni Pisjak Reply-To: Admin To: , Cc: Admin Subject: Re: Problem: Setup ipfw Firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello ! (Sorry to the "ipfw" mailinglist, but i didn't get an answer from freebsd-questions, but perhaps you can help me). I have problems to setup a firewall on FreeBSD 4.1. I still work with my simple test configuration (firewall between two clients): > client-0 firewall client-1 > > .111.29/:4b:a8----------.111.9/:97:55 > (= IP/MAC) .111.9/:9b:1f-----------.112.50/:a2:59 Can anybody tell me, if the following conditions are sufficient to forward packets through an "open" (i.e. with rule "allow all from any to any") firewall, because this is what i'm not able to do. - Install two NICS into firewall (the two NICs have the same IP number) - Build new kernel with options IP_FIREWALL and IPFIREWALL_VERBOSE Is the kernel option BRIDGE necessary or harmful or does not matter ? - Routing tables shown below - Apply firewall rule "allow all from any to any" resp. the rules "allow all from to via " Another question: The decision to send a packet to which NIC is only made through the firewall rules, or is there another thing to do ? Thanks in advance: Toni. On Tue, 7 Nov 2000, Toni Pisjak wrote: > Hello ! > > I have problems to setup a firewall on FreeBSD-4.1., though following the > directions in the FreeBSD handbook. I made a special (e.g. simple) test > configuration, shown in the following draft (firewall between two clients, > shown with abbreviated IP address / MAC address): > > > client-0 firewall client-1 > > .111.29/:4b:a8----------.111.9/:97:55 > .111.9/:9b:1f-----------.112.50/:a2:59 > > > Because of the kernel variable net.inet.ip.forwarding set to 1, i think, > that packets arriving on one firewall NIC should be forwarded to the other > NIC, considering the following configuration: > > The firewall routing table: > > Destination Gateway Flags Netif Expire > -------------------------------------------------------------------------- > default xxx.yyy.111.1 UGSc 0 0 fxp0 > 127.0.0.1 127.0.0.1 UH 0 0 lo0 > xxx.yyy link#2 UC 0 0 fxp1 => > xxx.yyy.111/25 link#1 UC 0 0 fxp0 => > xxx.yyy.111.1 link#1 UHLW 1 0 fxp0 => > -------------------------------------------------------------------------- > xxx.yyy.111.29 ...:a2:59 UHLW 1 21 fxp0 725 > xxx.yyy.112.50 ...:4b:a8 UHLW 0 7 fxp1 83 > > The first five routings are the default routings, the last two routings > were added, when i did a ping from the clients to the firewall. These last > two routings (surprisingly ?) have the schema: > dest = ; gateway = <*client* mac address> > ^^^^^^ > > > > The routing table of client0 (client1 is analogue; the firewall should > be transparent, so i dont want to write it into the routings): > > Destination Gateway Flags Netif Expire > ------------------------------------------------------------------- > ...111.0 ...111.29 > ...default ...111.29 > > > > > The firewall rules i tried were: > > 1. allow all from any to any > 2. allow all from client0 to client1 in via NIC0 > allow all from -"- out via NIC1 > allow all from client1 to client0 in via NIC1 > allow all from -"- out via NIC0 > > In both cases pinging between firewall and client0/1 works, but pinging > between the two clients fails (in case of *directly* connected clients > (without firewall), ping works with the above configuration). > > > > "tcpdump" (running on the firewall) shows, that the ping request reaches > the firewall at the appropriate NIC, but there's no output to the other > NIC (i.e. no forwarding). > > PS: Another strange thing: If the firewall NICs are both set to the ip > address ...111.9 via *rc.conf*, the pinging from client1 to the firewall > via NIC-1 does *not* work after booting. But if i *then* set the ip > address manually (ifconfig), the following error message appears ...: > > /kernel: rtinit: wrong ifa (0xc0e00480) was (0xc0e00700) > > ... but ping works (!). > > > Any suggestions ? > > Thanks in advance: Toni. > > > > > > PPS: > > Excerpt of my /etc/rc.conf: > --------------- > ifconfig_fxp1="inet xxx.yyy.111.9 netmask 255.255.255.128" > ifconfig_fxp0="inet xxx.yyy.111.9 netmask 255.255.255.128" > hostname="aaa.bbb.ccc.ddd" > router_enable="NO" > gateway_enable="YES" > defaultrouter="xxx.yyy.111.1" > firewall_enable="YES" > tcp_extensions="NO" > ---------------- > > Additions to the GENERIC kernel: > -------------------- > options IPFIREWALL > options IPFIREWALL_VERBOSE > > > > > > > > > > -- Toni Pisjak Technische Universitaet Wien pisjak@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message