From owner-freebsd-questions  Mon Apr 29  5: 3:40 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from axel.truedestiny.net (a185066.upc-a.chello.nl [62.163.185.66])
	by hub.freebsd.org (Postfix) with ESMTP id 0755737B400
	for <freebsd-questions@freebsd.org>; Mon, 29 Apr 2002 05:03:34 -0700 (PDT)
Received: by axel.truedestiny.net (Postfix, from userid 1000)
	id 307B549AB2; Mon, 29 Apr 2002 14:03:45 +0200 (CEST)
Date: Mon, 29 Apr 2002 14:03:45 +0200
From: Axel Scheepers <axel@axel.truedestiny.net>
To: Jimmy <jimmy@tricom.com.ph>
Cc: freebsd-questions@freebsd.org
Subject: Re: ipfilter+ipfw
Message-ID: <20020429140344.E61218@mars.thuis>
Reply-To: Axel Scheepers <axel@axel.truedestiny.net>
References: <20020426143406.5d9ede72.jimmy@tricom.com.ph>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20020426143406.5d9ede72.jimmy@tricom.com.ph>; from jimmy@tricom.com.ph on Fri, Apr 26, 2002 at 02:34:06PM +0800
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, Apr 26, 2002 at 02:34:06PM +0800, Jimmy wrote:
> Hi,
> 
> I've configure my FreeBSD-4.5-STABLE firewall host, and I installed 4 NIC cards on it and I'm using ipfilter to NAT and packet filter & ipfw to bridge and as a traffic shaper.  Here are the following list of my NIC card:
> 	
> 	fxp0=localnet1(192.168.100.0/24)nat
> 	xl0=external interface connected to dsl modem
> 	xl1=localnet2(192.168.200.0/24)nat
> 	xl2=filter bridge to xl0
> 
> The outside world can see my host connected to the bridge NIC and vice versa, except my localnet1 and localnet2.  Do I missed something in my configuration? How can I connect my localnet1 & 2 to talk to host connected to xl2 which is being bridge.

Hi,

It is general a bad idea to mix ipf and ipfilter, ipfilter and ipnat combo
works directly on the kernel tables, while ipf runs in userspace and is thus
somewhat slower.
The 192.168.x.x aren't routed on the internet, and must be remangled to the
modem's ip. (NAT) This seems to go wrong. At my place I have ipfilter/ipnat
where ipnat does the following:
map 192.168.0.0/16 -> 0/32 portmap auto
map 192.168.0.0/16 -> 0/32 proxy ftp
rdr 0.0.0.0/0 port 80 -> 192.168.0.5 port 80

which directs all traffic to another host in my local lan.

You can use tcpdump to see what packets are being forwarded (did you sysctl -w 
net.inet.ip.forwarding=1?)

A couple of extra debug generating rules isn't bad either, to see what gets 
denied and what goes through.
Probably best solution is to stick with one of the two firewalls, instead of 
using both at the same time.

> 
> TIA,
> 
> Jimmy 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message

Gr,
-- 
Axel Scheepers
UNIX System Administrator

email: axel@axel.truedestiny.net
       a.scheepers@iae.nl
http://axel.truedestiny.net/~axel
------------------------------------------
A fanatic is one who can't change his mind and won't change the
subject.
		-- Winston Churchill
------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message