From owner-freebsd-questions Mon Oct 22 18:48: 8 2001 Delivered-To: freebsd-questions@freebsd.org Received: from Veronica.wmol.com (veronica.wmol.com [208.242.83.241]) by hub.freebsd.org (Postfix) with ESMTP id CD25D37B403 for ; Mon, 22 Oct 2001 18:48:02 -0700 (PDT) Received: from rain (24.247.81.122.bay.mi.chartermi.net [24.247.81.122]) by Veronica.wmol.com (Vircom SMTPRS 5.0.193) with ESMTP id for ; Mon, 22 Oct 2001 21:45:07 -0400 Message-ID: <001a01c15b64$290d9de0$0201a8c0@hill.hom> From: "David Hill" To: Subject: can't get stateful ipfw working... Date: Mon, 22 Oct 2001 21:43:42 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0017_01C15B42.9E2860A0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0017_01C15B42.9E2860A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello - Implementing the following ipfw ruleset allows nothing to work. The nat'd machines can't access the gateway, nor the internet What am I doing wrong? # rules # # 192.168.1.0/24 (NAT) <-> 192.168.1.1 (fbsd firewall) 24.247.x.x <->=20 # Internet # fwcmd=3D"/sbin/ipfw" oif=3D"sis0" iif=3D"fxp0" inwr=3D"192.168.1.0/24" iip=3D"192.168.1.1" $fwcmd -f flush $fwcmd add divert natd all from any to any via $oif $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 101 deny all from any to 127.0.0.0/8 $fwcmd add 500 check-state $fwcmd add 510 deny tcp from any to any in established $fwcmd add 520 allow tcp from any to any keep-state setup $fwcmd add 600 allow udp from any to any out $fwcmd add 601 allow udp from 255.255.255.255 to any 68 in recv $oif $fwcmd add 700 allow icmp from any to any icmptypes 8 out $fwcmd add 701 allow icmp from any to any icmptypes 0 in $fwcmd add 702 allow icmp from any to any icmptypes 11 in ------=_NextPart_000_0017_01C15B42.9E2860A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hello=20 -
Implementing the following ipfw ruleset allows nothing to = work.
The=20 nat'd machines can't access the gateway, nor the internet

What am = I doing=20 wrong?

# rules
#
# 192.168.1.0/24 (NAT) <-> = 192.168.1.1 (fbsd=20 firewall) 24.247.x.x <->

#=20 Internet
#
fwcmd=3D"/sbin/ipfw"
oif=3D"sis0"
iif=3D"fxp0"
= inwr=3D"192.168.1.0/24"
iip=3D"192.168.1.1"

$fwcmd=20 -f flush
$fwcmd add divert natd all from any to any via = $oif
$fwcmd add=20 100 pass all from any to any via lo0
$fwcmd add 101 deny all from any = to=20 127.0.0.0/8

$fwcmd add 500 check-state
$fwcmd add 510 deny tcp = from=20 any to any in established
$fwcmd add 520 allow tcp from any to any = keep-state=20 setup

$fwcmd add 600 allow udp from any to any out
$fwcmd add = 601=20 allow udp from 255.255.255.255 to any 68 in recv $oif

$fwcmd add = 700=20 allow icmp from any to any icmptypes 8 out
$fwcmd add 701 allow icmp = from any=20 to any icmptypes 0 in
$fwcmd add 702 allow icmp from any to any = icmptypes 11=20 in

------=_NextPart_000_0017_01C15B42.9E2860A0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message