Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 08 May 2007 12:44:26 -0400
From:      Steve Bertrand <iaccounts@ibctech.ca>
To:        Gardner Bell <gbell72@rogers.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: IPFW and NATD problem
Message-ID:  <4640A8EA.1040309@ibctech.ca>
In-Reply-To: <853764.71287.qm@web88009.mail.re2.yahoo.com>
References:  <853764.71287.qm@web88009.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Gardner Bell wrote:
> Hi all,
> 
> I've been following the IPFW section in the handbook and /etc/rc.firewall to try and setup a gateway for my home LAN but I'm having a bit of trouble getting access to the internet.  My network setup looks like so.
> 
> 192.168.x.x                     bge1 - 192.168.x.x       bge0 x.x.x.x
> --LAN------------Switch---------FreeBSD-------------------------------ISP
> 
> Bge0 successfully receives an IP from my ISP's DHCP server and I can ping the LAN without any issues.  When it comes to accessing the internet I get a hostname lookup failure.
> 
> Any help resolving this is greatly appreciated.
> 
> 
> Gardner 
> 
> mx1# ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00400 deny ip from 192.168.1.0/24 to any in via bge0      
> 00500 deny log logamount 3 ip from x.x.x.x/25 to any in via bge1
> 00600 deny ip from any to 10.0.0.0/8 via bge0     
> 00700 deny ip from any to 172.16.0.0/12 via bge0             
> 00800 deny ip from any to 192.168.0.0/16 via bge0
> 00900 deny ip from any to 0.0.0.0/8 via bge0       
> 01000 deny ip from any to 169.254.0.0/16 via bge0 
> 01100 deny ip from any to 192.0.2.0/24 via bge0        
> 01200 deny ip from any to 224.0.0.0/4 via bge0     
> 01300 deny ip from any to 240.0.0.0/4 via bge0   

> 01400 divert 8668 ip from any to any in via bge0  

What happens if you switch the above line to bge1, as opposed to bge0?

I haven't used natd in a couple years, but from what I can tell, you are
trying to divert packets that are inbound from the Internet, as opposed
to diverting packets from the LAN.

What does /etc/natd.conf state?

If the above does not work, perhaps you could start with a minimalistic
ruleset, having only allow rules, and then a blanket rule to deny at the
bottom?

Steve

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4640A8EA.1040309>