Date: Wed, 12 Apr 2000 16:41:54 -0700 From: Paul Mielke <paulm@securify.com> To: "Ron Smith" <ronnetron@hotmail.com>, freebsd-security@FreeBSD.ORG Cc: support@cdrom.com Subject: Re: NAT and /etc/rc.firewall Message-ID: <4.2.0.58.20000412163416.00b74a20@localhost> In-Reply-To: <20000413002323.98449.qmail@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 05:23 PM 4/12/00 -0700, Ron Smith wrote: ... >NAT doesn't work for anyone on the LAN trying to reach the internet through 'firewall_type="simple"', but works fine with 'firewall_type="open"'. Do you think the above setting are correct, and in the right place. > >Can anyone give me a hand? Everything looks O.K. to me, unless I'm missing something. Maybe there's something I'm missing altogether when I try to go 'firewall_type="simple"' and use those stock rules, as is, in '/etc/rc.firewall'. If I need to make changes there, could someone mail me a sample of some rules that work for NAT+ipfw. Hi, Ron. I just took a quick look at the stock rc.firewall and I don't think that's enough info to allow remote diagnosis of the problem. I don't have access to my firewall from my current location, so I can't send you my working config files at this point. Maybe later this evening. For now, I would suggest that you try to diagnose the problem by either using "ipfw show" or by using the 'log' keyword on all the ipfw rules to figure out which rule is the one that is trashing your packets. For example, do the following: ipfw show > fw.stats.after do some operation that fails ipfw show > fw.stats.after ipfw will update the counters on each rule every time one of them fires. By diffing the two stats files, you can figure out which rule is the offending one. When I went through the initial phase of getting my setup working, I spent a lot of time iterating on the above steps interspersed with poring over the ipfw manpage. Regards, Paul Paul Mielke paulm@alumni.stanford.org Securify, Inc. 650-812-9400 x4118 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.20000412163416.00b74a20>