From owner-freebsd-questions Thu Jan 18 20:59:33 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 062B437B400 for ; Thu, 18 Jan 2001 20:59:14 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 18 Jan 2001 20:57:20 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.0) id f0J4x5X76318; Thu, 18 Jan 2001 20:59:05 -0800 (PST) (envelope-from cjc) Date: Thu, 18 Jan 2001 20:59:04 -0800 From: "Crist J. Clark" To: Trevin Chow Cc: Bill Moran , questions@FreeBSD.ORG Subject: Re: NAT doesn't work with my firewall rules? Message-ID: <20010118205904.C66998@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <5.0.2.1.2.20010118130802.02bfc808@mail.brightmail.com> <3A676681.A7EB136B@mail.iowna.com> <5.0.2.1.2.20010118151323.02be0e38@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <5.0.2.1.2.20010118151323.02be0e38@popserver.sfu.ca>; from tmchow@sfu.ca on Thu, Jan 18, 2001 at 03:14:40PM -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Jan 18, 2001 at 03:14:40PM -0800, Trevin Chow wrote: > At 04:56 PM 1/18/2001 -0500, Bill Moran wrote: > > Also, what IP pool are you using on the internal interfaces? > > I'm using 192.168.x.x on the internal interfaces. > > >Post the full ruleset to the list. You have not tried to do something from your internal network. It looks like you are blocking all of the incoming traffic. Let's say one of your machines on internal net tries to connect to a machine on the Internet. The packet looks like it should get out. It would pass rule 1200 or 1300 coming in an interior interface. Then it would hit 300, get diverted and aliased, come back in, then pass 1100 and go out the exterior interface. On the way back... Trouble. The packet hits 300, gets diverted and aliased, and then gets dropped at rule 400 or 700. Try some traffic from the interior and see if the counts match. > Here's the full output of `ipfw show`: > > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 26 1744 divert 8668 ip from any to any via dc0 > 00400 0 0 deny ip from 192.168.0.0/24 to any in recv dc0 > 00500 0 0 deny ip from 209.53.0.0/18 to any in recv fxp0 > 00600 0 0 deny ip from 209.53.0.0/18 to any in recv fxp1 > 00700 0 0 deny ip from 192.168.0.0/16 to any in recv dc0 > 00800 0 0 deny ip from 172.16.0.0/12 to any in recv dc0 > 00900 0 0 deny ip from 224.0.0.0/4 to any > 01000 0 0 deny ip from 10.0.0.0/8 to any in recv dc0 > 01100 12 984 allow ip from any to any out xmit dc0 > 01200 0 0 allow ip from any to any via fxp0 > 01300 0 0 allow ip from any to any via fxp1 > 01400 14 760 allow tcp from any to any in recv dc0 established > 01500 0 0 allow tcp from 142.58.101.25 to 209.53.60.139 2626 setup > 01600 0 0 allow tcp from 142.58.107.12 to 209.53.60.139 2626 setup > 01700 0 0 allow log logamount 100 tcp from 142.58.101.25 to > 209.53.60.139 2627 in recv dc0 setup > 01800 0 0 allow log logamount 100 tcp from 142.58.107.12 to > 209.53.60.139 2627 in recv dc0 setup > 01900 0 0 allow log logamount 100 tcp from 24.71.46.74 to 209.53.60.139 > 2627 in recv dc0 setup > 02000 0 0 allow log logamount 100 tcp from 209.53.63.29 to > 209.53.60.139 2627 in recv dc0 setup > 02100 0 0 allow log logamount 100 tcp from 24.113.38.121 to > 209.53.60.139 2627 in recv dc0 setup > 02200 0 0 allow tcp from any to 209.53.60.139 80 setup > 02300 0 0 allow tcp from any to 209.53.60.139 25 setup > 02400 0 0 allow tcp from 142.58.101.25 to 209.53.60.139 110 setup > 02500 0 0 allow tcp from 24.113.77.121 to 209.53.60.139 110 setup > 02600 0 0 allow udp from any 123 to 209.53.60.139 > 02700 0 0 allow udp from 209.53.60.139 to any 123 > 02800 0 0 allow udp from any to 209.53.60.139 53 > 02900 0 0 allow udp from 209.53.60.139 53 to any > 03000 0 0 allow tcp from any to 209.53.60.139 53 setup > 03100 0 0 allow tcp from any to 209.53.60.139 194 > 03200 0 0 allow udp from any to 209.53.60.139 194 > 03300 0 0 deny log logamount 100 tcp from any to any in recv dc0 setup > 03400 0 0 allow icmp from any to any via fxp0 > 03500 0 0 allow icmp from any to any via fxp1 > 03600 0 0 allow icmp from any to any in recv dc0 icmptype 0 > 03700 0 0 allow icmp from any to any out xmit dc0 icmptype 8 > 03800 0 0 allow udp from any to any 33434-33523 out xmit dc0 > 03900 0 0 allow icmp from any to any via dc0 icmptype 3,4,11,12 > 65532 0 0 deny udp from any to any > 65533 0 0 deny icmp from any to any > 65534 0 0 deny log logamount 100 ip from any to any > 65535 0 0 deny ip from any to any > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message