Date: Mon, 30 Nov 1998 22:11:31 -0800 From: "Briang" <brian@briang.org> To: "FreeBSD" <freebsd-questions@FreeBSD.ORG> Subject: IPFW and NATD Message-ID: <004501be1cf1$71112e40$2900a8c0@brian-desktop.briang.org>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0042_01BE1CAE.62AACAC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have DNS and NATD running with IPFW -> FXP0 -> Internet / 24.1.8x.xxx = FXP1-> Private / 192.168.0.1. Well this is what I dont understand if I try to ping www.briang.org it = replys fine but if I try to open=20 www.briang.org inside netscape it times out saying it cant find the = website...Hmmmm So I added this line to the rc.firewall file=20 """ $fwcmd add divert 6668 all from 192.168.0.0/24 to any via fxp1 """ and now I can open the website but snmp service tells me that is cant no = longer find the interface for 24.1.8x.xxx. Hmmm c:\tracert 24.0.0.27 1 <10 ms <10 ms <10 ms rtr1.gw.briang.org [192.168.0.1] 2 42 ms 20 ms 20 ms 24.1.88.1 3 18 ms 10 ms 10 ms r1-fe2-0-0-100bt.frmt1.sfba.home.net = [24.1.80.1] Next shouldn't I see it going through FXP1 and then to FXP0 out to the = net ?? =20 cat /etc/rc.firewall $fwcmd -f flush $fwcmd add divert 6668 all from any to any via fxp0 $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 200 deny all from any to 127.0.0.0/8 $fwcmd add deny all from 192.168.0.0/24 to any out via fxp0 =20 $fwcmd add deny log tcp from 24.0.0.0/8 to 24.1.8x.xxx/32 1-65000=20 $fwcmd add deny log udp from 24.0.0.0/8 to 24.1.8x.xxx/32 1-65000=20 $fwcmd add deny log all from 198.247.0.0/16 to any in via fxp0 $fwcmd add 65000 pass all from any to any --> ipfw -a l 00100 42 5811 divert 6668 ip from any to any via fxp0 --->>> I took the other Divert line out for right now.. 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 192.168.0.0/24 to any out xmit = fxp0 07400 0 0 deny log tcp from 24.0.0.0/8 to 24.1.8x.xxx = 1-65000 07500 0 0 deny log udp from 24.0.0.0/8 to 24.1.8x.xxx = 1-65000 07600 0 0 deny log ip from 198.247.0.0/16 to any in = recv fxp0 65000 491 49928 allow ip from any to any 65535 14 1076 deny ip from any to any Thanks -Brian ------=_NextPart_000_0042_01BE1CAE.62AACAC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.3511.1300"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT color=3D#000000>I have DNS and NATD running with IPFW = -> FXP0=20 -> Internet / 24.1.8x.xxx FXP1-> Private / = 192.168.0.1.</FONT></DIV> <DIV><FONT color=3D#000000></FONT>Well this is what I dont understand if = I try to=20 ping <A href=3D"http://www.briang.org">www.briang.org</A>; it replys fine = but if I=20 try to open </DIV> <DIV><A href=3D"http://www.briang.org">www.briang.org</A>; inside = netscape it times=20 out saying it cant find the website...Hmmmm</DIV> <DIV>So I added this line to the rc.firewall file </DIV> <DIV>""" $fwcmd add divert 6668 all from = 192.168.0.0/24 to=20 any via fxp1 """</DIV> <DIV>and now I can open the website but snmp service tells me that is = cant no=20 longer find the interface for 24.1.8x.xxx. Hmmm</DIV> <DIV> </DIV> <DIV><FONT color=3D#000000 size=3D2>c:\tracert 24.0.0.27</FONT></DIV> <DIV><FONT size=3D2> 1 <10 ms <10=20 ms <10 ms rtr1.gw.briang.org=20 [192.168.0.1]<BR> 2 42 ms 20=20 ms 20 ms 24.1.88.1<BR> 3 = 18=20 ms 10 ms 10 ms =20 r1-fe2-0-0-100bt.frmt1.sfba.home.net [24.1.80.1]<BR></FONT></DIV> <DIV>Next shouldn't I see it going through FXP1 and then to FXP0 out to = the net=20 ??</DIV> <DIV> </DIV> <DIV>cat /etc/rc.firewall</DIV> <DIV> </DIV> <DIV>$fwcmd -f flush<BR>$fwcmd add divert 6668 all from any to any via=20 fxp0<BR>$fwcmd add 100 pass all from any to any via lo0<BR>$fwcmd add = 200 deny=20 all from any to 127.0.0.0/8<BR>$fwcmd add deny all from 192.168.0.0/24 = to any=20 out via fxp0 <BR>$fwcmd add deny log tcp from 24.0.0.0/8 to = 24.1.8x.xxx/32=20 1-65000 <BR>$fwcmd add deny log udp from 24.0.0.0/8 to 24.1.8x.xxx/32 = 1-65000=20 <BR>$fwcmd add deny log all from 198.247.0.0/16 to any in via = fxp0<BR>$fwcmd add=20 65000 pass all from any to any<BR><BR><BR></DIV> <DIV><FONT color=3D#000000><FONT size=3D3>--> ipfw -a = l</FONT></FONT><FONT=20 size=3D3></FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV>00100 =20 42 5811 divert 6668 ip from any to = any via=20 fxp0<BR></DIV> <DIV><FONT color=3D#000000 size=3D2>--->>> I took the other = Divert line out=20 for right now..</FONT></DIV> <DIV>00100 =20 0 0 allow ip from = any to=20 any via = lo0<BR>00200 =20 0 0 deny ip from = any to=20 127.0.0.0/8<BR>00300  = ;=20 0 0 deny ip from=20 192.168.0.0/24 to any out xmit=20 fxp0<BR>07400 =20 0 0 deny log tcp = from=20 24.0.0.0/8 to 24.1.8x.xxx=20 1-65000<BR>07500 =20 0 0 deny log udp = from=20 24.0.0.0/8 to 24.1.8x.xxx=20 1-65000<BR>07600 =20 0 0 deny log ip = from=20 198.247.0.0/16 to any in recv=20 fxp0<BR>65000 =20 491 49928 allow ip from any to=20 any<BR>65535 =20 14 1076 deny ip from any to = any</DIV> <DIV> </DIV> <DIV>Thanks</DIV> <DIV>-Brian<BR></DIV></BODY></HTML> ------=_NextPart_000_0042_01BE1CAE.62AACAC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004501be1cf1$71112e40$2900a8c0>