Date: Mon, 27 Jan 2003 23:17:03 -0500 From: Bill Moran <wmoran@potentialtech.com> To: Asenchi <asenchi@asenchi.com> Cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG> Subject: Re: Firewall + DHCP (STILL) Message-ID: <3E36043F.8010005@potentialtech.com> References: <NHBBIMEIGLCBNPAEPGDPCEIPCJAA.asenchi@asenchi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Asenchi wrote:
> Hello,
>
> I emailed and receive some help this past weekend. Thank you all for
> responding, however none of the suggestions were able to cure my problem.
I don't think I was in on the original round of q&a. I'm going to make some
suggestions, but also clarify a few things. Please pardon me if I suggest
some things that have already come up, or ask questions that you've already
answered.
> Here is the issue:
> I am setting up a firewall, IPFW + NATD that will act as a gateway. I have
> two NIC's that are configured. The OIF will be connected to a cable modem
> that assigns connections by DHCP. I am not able to keep a connection with
> my OIF concerning this.
What do you mean by "not able to _keep_ a connection"? Are you saying that
your DHCP addy expires and can't be renewed? Or is there something more to
the problem (i.e., the link layer connection fails?)
<SNIP>
> PS: Below is a bunch of info on my setup, let me know if you want more. Oh
> and I know that there is no ip assigned to vr0, this is bsd, not me. I have
> tried to assign one and have also set 'ifconfig_vr0="DHCP"' in rc.conf.
To clarify:
if you type:
killall dhclient
ifconfig vr0 inet 10.1.1.1 netmaks 255.0.0.0
ifconfig
Does it display the 10.1.1.1 address, or is there still no ip addy on
vr0?
> #vi /etc/rc.firewall
> #FIREWALL RULES
>
> fwcmd="/sbin/ipfw"
>
> oif="vr0"
> onet="`ifconfig vr0 | grep "inet " | awk '{print $6}'`"
> omask="`ifconfig vr0 | grep "inet " | awk '{print $4}'`"
> oip="`ifconfig vr0 | grep "inet " | awk '{print $2}'`"
>
> iif="rl0"
> inet="192.168.0.0"
> imask="255.255.255.0"
> iip="192.168.0.1"
>
> ${fwcmd} -f flush
>
> ${fwcmd} add 0050 divert natd all from any to any via ${oif}
>
> ${fwcmd} add 0200 allow all from any to any
If this is truely the firewall rules you are using, then every rule after
this one is redundant, as this constitutes an "open" firewall, which is
almost the same as no firewall at all (except for the divert rule).
> #vi /var/db/dhclient.leases
> lease {
> interface "xl0";
> fixed-address 12.245.246.22;
> option subnet-mask 255.255.255.0;
> option dhcp-lease-time 3600;
> option routers 12.245.246.1;
> option dhcp-message-type 5;
> option dhcp-server-identifier 12.242.20.34;
> option domain-name-servers 63.240.76.4,204.127.198.4;
> option broadcast-address 255.255.255.255;
> option host-name "x1-6-00-04-76-c5-f4-a2";
> option domain-name "attbi.com";
> renew 2 2003/1/28 03:29:22;
> rebind 2 2003/1/28 03:58:51;
> expire 2 2003/1/28 04:06:21;
> }
> lease {
> interface "vr0";
> fixed-address 12.245.228.183;
> option subnet-mask 255.255.255.128;
> option dhcp-lease-time 345600;
> option routers 12.245.228.129;
> option dhcp-message-type 5;
> option dhcp-server-identifier 12.242.20.34;
> option domain-name-servers 63.240.76.4,204.127.198.4;
> option broadcast-address 255.255.255.255;
> option domain-name "attbi.com";
> renew 4 2003/1/30 01:09:35;
> rebind 5 2003/1/31 15:28:11;
> expire 6 2003/2/1 03:28:11;
> }
Are you trying to get DHCP addys on both interfaces?
> #ifconfig -a
> vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet6 fe80::240:33ff:fe5a:748a%vr0 prefixlen 64 scopeid 0x1
> inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
> ether 00:40:33:5a:74:8a
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> xl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
> options=3<rxcsum,txcsum>
> ether 00:04:76:c5:f4:a2
> media: Ethernet autoselect (none)
> status: no carrier
> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet6 fe80::250:bfff:fe90:6d98%rl0 prefixlen 64 scopeid 0x3
> inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
> ether 00:50:bf:90:6d:98
> media: Ethernet autoselect (100baseTX)
> status: active
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
> inet 127.0.0.1 netmask 0xff000000
This is probably unrelated, but you have not IPv4 address on the loopback
device (lo0), which has caused problems for me in the past.
You managed to post _almost_ everything relevent ;) Can you post your
rc.conf please.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E36043F.8010005>