From owner-freebsd-net@FreeBSD.ORG Wed Jul 6 18:44:38 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4028106564A for ; Wed, 6 Jul 2011 18:44:38 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout021.mac.com (asmtpout021.mac.com [17.148.16.96]) by mx1.freebsd.org (Postfix) with ESMTP id 8D7648FC0A for ; Wed, 6 Jul 2011 18:44:38 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp021.mac.com (Oracle Communications Messaging Exchange Server 7u4-20.01 64bit (built Nov 21 2010)) with ESMTPSA id <0LNX00IBFDD7VT10@asmtp021.mac.com> for freebsd-net@freebsd.org; Wed, 06 Jul 2011 11:43:55 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813,1.0.211,0.0.0000 definitions=2011-07-06_06:2011-07-06, 2011-07-06, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1107060130 From: Chuck Swiger In-reply-to: <4e14a2ed555a94.24022420@wp.pl> Date: Wed, 06 Jul 2011 11:43:54 -0700 Message-id: <669B9148-C9D2-41F3-B050-F4C9DE928380@mac.com> References: <4e14a2ed555a94.24022420@wp.pl> To: Marek Salwerowicz X-Mailer: Apple Mail (2.1084) Cc: freebsd-net@freebsd.org Subject: Re: ipfw + 2 LANs X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 18:44:38 -0000 On Jul 6, 2011, at 11:01 AM, Marek Salwerowicz wrote: > The idea is to share the Internet connection to both networks, and block any traffic between them. > > I was trying to set up the firewall like this: > > #!/bin/sh > > cmd="ipfw -q" > > $cmd flush > > $cmd add 50 check-state > > $cmd add 80 divert natd ip from any to any via em0 > > $cmd add 100 allow ip from any to me > $cmd add 101 allow ip from me to any > > $cmd add 200 allow ip from 10.0.1.0/24 to 10.0.0.0/24 keep-state > $cmd add 300 allow ip from 10.0.2.0/24 to 10.0.0.0/24 keep-state > > But it doesn't really work for me These rules don't provide any means for LAN traffic to pass outside, just traffic to and from the firewall and to and from the 10.0.1.0/24 & 10.0.2.0/24 subnets. > when I set at the end: > > $cmd add 500 allow ip from any to any Yes, but that's too broad. Try more like: $cmd add 500 deny ip from 10.0.1.0/24 to 10.0.2.0/24 $cmd add 510 deny ip from 10.0.2.0/24 to 10.0.1.0/24 $cmd add 520 allow ip from any to any Again, rule 520 is also too broad, but you can test and confirm this is allowing NAT traffic to and from the Internet, but blocking the subnets from communicating. If that is working, replace 520 with more narrowly tailored allow and deny rules. Regards, -- -Chuck