From owner-freebsd-questions  Fri Nov 10 13:58:27 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from rapidnet.com (rapidnet.com [205.164.216.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1F15737B479; Fri, 10 Nov 2000 13:58:22 -0800 (PST)
Received: from localhost (nick@localhost)
	by rapidnet.com (8.9.3/8.9.3) with ESMTP id OAA20849;
	Fri, 10 Nov 2000 14:58:17 -0700 (MST)
Date: Fri, 10 Nov 2000 14:58:17 -0700 (MST)
From: Nick Rogness <nick@rapidnet.com>
To: Admin <admin@dbai.tuwien.ac.at>
Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org
Subject: Re: Problem: Setup ipfw Firewall
In-Reply-To: <Pine.BSF.4.30.0011102116100.79504-100000@procyon.dbai.tuwien.ac.at>
Message-ID: <Pine.BSF.4.21.0011101424330.54539-100000@rapidnet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 10 Nov 2000, Toni Pisjak wrote:

> Hello !
> 
> (Sorry to the "ipfw" mailinglist, but i didn't get an answer from
> freebsd-questions, but perhaps you can help me).
> 
> I have problems to setup a firewall on FreeBSD 4.1. I still work
> with my simple test configuration (firewall between two clients):
> 
> > client-0                firewall                client-1
> >
> > .111.29/:4b:a8----------.111.9/:97:55
> > (= IP/MAC)              .111.9/:9b:1f-----------.112.50/:a2:59
> 
> Can anybody tell me, if the following conditions are sufficient to
> forward packets through an "open" (i.e. with rule "allow all from any to
> any") firewall, because this is what i'm not able to do.
> 
> - Install two NICS into firewall (the two NICs have the same IP number)

	Not a good idea to have 2 NIC's with the same IP.  The NIC with
	MAC of :9b:1f should have an IP on the 112.X network...if you want
	to route.

> - Build new kernel with options IP_FIREWALL and IPFIREWALL_VERBOSE
>   Is the kernel option BRIDGE necessary or harmful or does not matter ?

	If Client0 and Client1 on the same network (logical) then you
	will want to BRIDGE.  If not, then route.

	It appears in the above example that the 2 networks are on
	different (layer3) networks, so route!

> Another question: The decision to send a packet to which NIC is only made
> through the firewall rules, or is there another thing to do ?

	No.  The routing decisions are made by the FreeBSD routing
	internals, not the firewalling.  Firewalling looks at those
	packets and performs actions based on rules.  There are, of
	course, certain instances when firewalling can change a
	packets destination/etc...like the fwd option of ipfw.


Nick Rogness
- Drive defensively.  Buy a tank.





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message