From owner-freebsd-ipfw@FreeBSD.ORG  Tue May  8 16:07:46 2007
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4546016A402
	for <freebsd-ipfw@freebsd.org>; Tue,  8 May 2007 16:07:46 +0000 (UTC)
	(envelope-from gbell72@rogers.com)
Received: from web88009.mail.re2.yahoo.com (web88009.mail.re2.yahoo.com
	[206.190.37.196])
	by mx1.freebsd.org (Postfix) with SMTP id E08E313C44B
	for <freebsd-ipfw@freebsd.org>; Tue,  8 May 2007 16:07:40 +0000 (UTC)
	(envelope-from gbell72@rogers.com)
Received: (qmail 77183 invoked by uid 60001); 8 May 2007 15:40:58 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rogers.com;
	h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
	b=Eq3K0ZwveoYx5ioeDdTKHIVe6jBNl6RdKUsmDBUi1Sn7rfIVK54v+m5luRIo8SWBFjjr96AH+nHfCSyvLSKQVbhiZgCX7CrWyhMQ42wzfTLjD3OOjAG93B18MC87+tjV21HT83VCfx/ayKtL9kQYYpVyqB/VwnQQ7FayqzmUcVQ=;
X-YMail-OSG: wuTxU_sVM1kfap3_rl91ya0R5pvkSDtI0KeR_vhISJLxRQnjk1txPw.04rfx8TenzTP.u4zk6GgWvXQqmscaPORJOgGKumCY.BhFI5pBqXYsJ7XjOeXgViQn.F6XA2gjyNJx7V.fGBBntL_On5kfWTl_QSdtSynOUNHS7NvzwlT6PfA0IfMo
Received: from [74.100.62.56] by web88009.mail.re2.yahoo.com via HTTP;
	Tue, 08 May 2007 11:40:58 EDT
Date: Tue, 8 May 2007 11:40:58 -0400 (EDT)
From: Gardner Bell <gbell72@rogers.com>
To: freebsd-ipfw@freebsd.org
MIME-Version: 1.0
Message-ID: <853764.71287.qm@web88009.mail.re2.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: IPFW and NATD problem
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2007 16:07:46 -0000

Hi all,

I've been following the IPFW section in the handbook and /etc/rc.firewall to try and setup a gateway for my home LAN but I'm having a bit of trouble getting access to the internet.  My network setup looks like so.

192.168.x.x                     bge1 - 192.168.x.x       bge0 x.x.x.x
--LAN------------Switch---------FreeBSD-------------------------------ISP

Bge0 successfully receives an IP from my ISP's DHCP server and I can ping the LAN without any issues.  When it comes to accessing the internet I get a hostname lookup failure.

Any help resolving this is greatly appreciated.


Gardner 

mx1# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from 192.168.1.0/24 to any in via bge0      
00500 deny log logamount 3 ip from x.x.x.x/25 to any in via bge1
00600 deny ip from any to 10.0.0.0/8 via bge0     
00700 deny ip from any to 172.16.0.0/12 via bge0             
00800 deny ip from any to 192.168.0.0/16 via bge0
00900 deny ip from any to 0.0.0.0/8 via bge0       
01000 deny ip from any to 169.254.0.0/16 via bge0 
01100 deny ip from any to 192.0.2.0/24 via bge0        
01200 deny ip from any to 224.0.0.0/4 via bge0     
01300 deny ip from any to 240.0.0.0/4 via bge0       
01400 divert 8668 ip from any to any in via bge0  
01500 allow ip from any to any via bge1
01600 deny ip from 10.0.0.0/8 to any via bge0
01700 deny ip from 172.16.0.0/12 to any via bge0
01800 deny ip from 192.168.0.0/16 to any via bge0
01900 deny ip from 0.0.0.0/8 to any via bge0
02000 deny ip from 169.254.0.0/16 to any via bge0
02100 deny ip from 192.0.2.0/24 to any via bge0
02200 deny ip from 224.0.0.0/4 to any via bge0   
02300 deny ip from 240.0.0.0/4 to any via bge0      
02400 allow tcp from any to x.x.x.x dst-port 53 out via bge0 setup keep-state
02500 allow udp from any to x.x.x.x dst-port 53 out via bge0 keep-state
02600 allow udp from any to x.x.x.x dst-port 67 out via bge0 keep-state
02700 allow tcp from any to any dst-port 80 out via bge0 setup keep-state
02800 allow tcp from any to any dst-port 443 out via bge0 setup keep-state     
02900 allow tcp from any to any dst-port 25 out via bge0 setup keep-state  
03000 allow tcp from any to any dst-port 110 out via bge0 setup keep-state
03100 allow tcp from any to any dst-port 21 out via bge0 setup keep-state
03200 allow tcp from any to any dst-port 3724 out via bge0 setup keep-state       
03300 allow icmp from any to any out via bge0 keep-state        
03400 allow tcp from any to any dst-port 43 out via bge0 setup keep-state
03500 allow udp from any to any dst-port 123 out via bge0 keep-state 
03600 reset tcp from any to any dst-port 113 in via bge0
03700 allow udp from x.x.x.x to any dst-port 68 in via bge0 keep-state
03800 deny tcp from any to any dst-port 137 in via bge0
03900 deny tcp from any to any dst-port 138 in via bge0
04000 deny tcp from any to any dst-port 139 in via bge0
04100 deny tcp from any to any dst-port 389 in via bge0
04200 deny tcp from any to any dst-port 445 in via bge0
04300 deny ip from any to any frag
04400 deny log logamount 3 ip from any to 255.255.255.255
65535 deny ip from any to any