From owner-freebsd-security Sat Aug 19 22:58:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from amazhan.bitstream.net (amazhan.bitstream.net [216.243.128.132]) by hub.freebsd.org (Postfix) with SMTP id E103537B422 for ; Sat, 19 Aug 2000 22:58:18 -0700 (PDT) Received: (qmail 25836 invoked from network); 20 Aug 2000 05:58:17 -0000 Received: from unknown (HELO copper) (216.243.168.19) by amazhan with SMTP; 20 Aug 2000 05:58:17 -0000 Date: Sat, 19 Aug 2000 22:56:55 -0700 From: Dan Debertin X-Sender: airboss@copper.air-boss.net To: Todd Backman Cc: freebsd-security@freebsd.org Subject: Re: Routing firewall w/ipfw questions In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org First, as this is not exactly security-related, a better forum for this is -net (or -questions, but that list tends to have more questions than answers ;). Now, on to your question: > > Question: > Is my reasoning flawed in regards to the routing portion of this setup? Your subnetting plan looks fine to me. One thing that strikes me, though, is that you need to have a router on the external side who knows that your FreeBSD box is the next-hop router for the post-firewall /24. Is there such a router in your setup? For example, let's say that your firewall's external interface is 1.1.1.6/29, and the internal is 1.1.2.1/24. There should be a router with an interface on the 1.1.1.0/29 subnet that "knows" that 1.1.2.0/24 is reached via 1.1.1.6. In cisco syntax this would be ip route 1.1.1.0 255.255.255.0 1.1.1.6 or via the UNIX "route" command: route add -net 1.1.2.0 -netmask 255.255.255.0 1.1.1.6 Also, make sure you have a default gateway on your firewall pointing to that external router. I am also assuming you've done the basic lower-layer checks for link lights, cable integrity, etc. > Thanks for any help you might provide. Upon successful completion of this > project I will document all *correct* procedures and post as I have not > found any documentation on setting ipfw up for protecting an internal /24 > with a different subnet on the outside interface. We've been doing this successfully for quite some time, so I assure you it's fairly standard ;). ~Dan D. -- ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message