Date: Mon, 29 Apr 2002 12:56:31 -0500 From: "Mire, John" <jmire@lsuhsc.edu> To: "Mire, John" <jmire@lsuhsc.edu>, 'Axel Scheepers' <axel@axel.truedestiny.net>, 'Jimmy' <jimmy@tricom.com.ph> Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: RE: ipfilter+ipfw Message-ID: <DAC809EAC7E4594AA0696EF512F6ABF10AA738CE@sh-exch>
next in thread | raw e-mail | index | archive | help
I hate correcting myself but it was on freebsd-security
-----Original Message-----
From: Mire, John
Sent: Monday, April 29, 2002 10:49 AM
To: 'Axel Scheepers'; Jimmy
Cc: freebsd-questions@freebsd.org
Subject: RE: ipfilter+ipfw
I remember Crist J. Clark had outlined some patches on his website and the
pathway to get this to work on freebsd-net I think, try searching the
archives....
--
John Mire: jmire@lsuhsc.edu Network Administration
318-675-5434 LSU Health Sciences Center - Shreveport
-----Original Message-----
From: Axel Scheepers [mailto:axel@axel.truedestiny.net]
Sent: Monday, April 29, 2002 7:04 AM
To: Jimmy
Cc: freebsd-questions@freebsd.org
Subject: Re: ipfilter+ipfw
On Fri, Apr 26, 2002 at 02:34:06PM +0800, Jimmy wrote:
> Hi,
>
> I've configure my FreeBSD-4.5-STABLE firewall host, and I installed 4 NIC
cards on it and I'm using ipfilter to NAT and packet filter & ipfw to bridge
and as a traffic shaper. Here are the following list of my NIC card:
>
> fxp0=localnet1(192.168.100.0/24)nat
> xl0=external interface connected to dsl modem
> xl1=localnet2(192.168.200.0/24)nat
> xl2=filter bridge to xl0
>
> The outside world can see my host connected to the bridge NIC and vice
versa, except my localnet1 and localnet2. Do I missed something in my
configuration? How can I connect my localnet1 & 2 to talk to host connected
to xl2 which is being bridge.
Hi,
It is general a bad idea to mix ipf and ipfilter, ipfilter and ipnat combo
works directly on the kernel tables, while ipf runs in userspace and is thus
somewhat slower.
The 192.168.x.x aren't routed on the internet, and must be remangled to the
modem's ip. (NAT) This seems to go wrong. At my place I have ipfilter/ipnat
where ipnat does the following:
map 192.168.0.0/16 -> 0/32 portmap auto
map 192.168.0.0/16 -> 0/32 proxy ftp
rdr 0.0.0.0/0 port 80 -> 192.168.0.5 port 80
which directs all traffic to another host in my local lan.
You can use tcpdump to see what packets are being forwarded (did you sysctl
-w
net.inet.ip.forwarding=1?)
A couple of extra debug generating rules isn't bad either, to see what gets
denied and what goes through.
Probably best solution is to stick with one of the two firewalls, instead of
using both at the same time.
>
> TIA,
>
> Jimmy
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
Gr,
--
Axel Scheepers
UNIX System Administrator
email: axel@axel.truedestiny.net
a.scheepers@iae.nl
http://axel.truedestiny.net/~axel
------------------------------------------
A fanatic is one who can't change his mind and won't change the
subject.
-- Winston Churchill
------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DAC809EAC7E4594AA0696EF512F6ABF10AA738CE>