Date: Thu, 26 Apr 2001 18:30:23 -0500 (EST) From: Chris Hardie <chris@summersault.com> To: <questions@freebsd.org> Subject: Confusion about router/firewall traffic from router itself Message-ID: <Pine.BSF.4.33.0104261819100.620-100000@nollie.summersault.com>
next in thread | raw e-mail | index | archive | help
Greetings. I feel like the answer to this question is embedded in all of the related mailing list discussions and man pages, but I just can't seem to put the pieces together. We have a FreeBSD 4.2 box acting as a router and firewall (ipfw) for our internal network. We have a range of (real) IP addresses that we use for all of the machines on our network, as most all of them require direct addressing from the outside world. The router has two NICs, one going to the ISP (xl1) and one going to the internal network (xl0): /etc/rc.conf ifconfig_xl1="inet 192.168.21.9 netmask 255.255.255.0" ifconfig_xl0="inet 208.196.32.193 netmask 255.255.255.192" defaultrouter="192.168.21.1" gateway_enable="YES" firewall_enable="YES" All of our internal machines point to 208.196.32.193 as their gateway. I believe that 192.168.21.9 is the (RFC1918) IP address of the interface on our ISP's router that our connection goes to. We're not running natd. So, things work fine. I can write firewall rules that work, all of the internal hosts can reach the outside world and vice versa. What doesn't work is traffic originating from the firewall box itself into the outside world. My understanding is that this is happening because it's standard for routers to deny traffic coming from 192.168.0.0/16 (in this case) and going to the outside world. As a result, ping.yahoo.com returns "permission denied." If I alter the source address (using ping -S) to be the real IP of the firewall box, then this kind of traffic can get through. So the question is, how do I configure things so that other kinds of traffic on the firewall box (like DNS queries, NTP queries, etc) can get to the outside world, even though they're coming from a source address of 192.168.1.29? Is this a matter of different firewall rules that permit traffic with that source address (but still prevent RFC1918 spoofing), or is it a matter of finding some way to make the traffic come from the real IP address? Or am I not understanding some basic concepts here? Any help is much appreciated. Thanks, Chris -- Chris Hardie ----------------------------- ----- mailto:chris@summersault.com ---------- -------- http://www.summersault.com/chris/ -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0104261819100.620-100000>