From owner-freebsd-security@FreeBSD.ORG Wed May 14 17:34:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CA1737B401 for ; Wed, 14 May 2003 17:34:11 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90FB543F3F for ; Wed, 14 May 2003 17:34:10 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by attbi.com (sccrmhc01) with ESMTP id <2003051500340800100do51pe>; Thu, 15 May 2003 00:34:08 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h4F0Y7ki083791; Wed, 14 May 2003 17:34:07 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h4F0Y5Hj083790; Wed, 14 May 2003 17:34:05 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Wed, 14 May 2003 17:34:05 -0700 From: "Crist J. Clark" To: xskoba1@kremilek.gyrec.cz Message-ID: <20030515003405.GA83387@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-security@freebsd.org Subject: Re: bridge and firewall X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2003 00:34:11 -0000 On Thu, May 08, 2003 at 12:39:11PM +0200, xskoba1@kremilek.gyrec.cz wrote: > Can anyone help with this. Bridge is enabled, even in sysctl. Firewall is > enabled and configured. But my reality is done this way.. > > > Cisco > (NATing > 192.168.1.0/24) ---- Freebsd Bridge (Public IP) ------ stations > (Public IP) (NATing 172.16.0.0/24 192.168.1.xx > or something similar) 172.16.0.xx and on > one public IP one private witch even one > public IP... > > ok... it looks horribly, but I am not having time to change it... we are > going to change IPS and so on... > > so... what are the rules which should be added > > users are permited to connect inside.... to public IP trough SSH > named is on FreeBSD and used by inner adress (192... 172...) > > and firewall than behaves strangely... > > thanks for any idea, unless you want me to reconfigure it at all... it is > a school and I am not having time until holiday Bridged packets only go through firewall processing on input. If you have a, divert natd ip from any to any via if0 (Where if0 is the external interface) it will not work since packets going out the interface never hit that rule. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org