From owner-freebsd-questions Tue Nov 7 9:44:41 2000 Delivered-To: freebsd-questions@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id E32A137B4CF; Tue, 7 Nov 2000 09:44:32 -0800 (PST) Received: from [128.130.111.75] (procyon [128.130.111.75]) by vexpert.dbai.tuwien.ac.at (8.9.3/8.9.3) with ESMTP id SAA12557; Tue, 7 Nov 2000 18:44:24 +0100 (MET) Date: Tue, 7 Nov 2000 18:44:26 +0100 (CET) From: Toni Pisjak To: Cc: , Subject: Problem: Setup ipfw Firewall Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello ! I have problems to setup a firewall on FreeBSD-4.1., though following the directions in the FreeBSD handbook. I made a special (e.g. simple) test configuration, shown in the following draft (firewall between two clients, shown with abbreviated IP address / MAC address): client-0 firewall client-1 .111.29/:4b:a8----------.111.9/:97:55 .111.9/:9b:1f-----------.112.50/:a2:59 Because of the kernel variable net.inet.ip.forwarding set to 1, i think, that packets arriving on one firewall NIC should be forwarded to the other NIC, considering the following configuration: The firewall routing table: Destination Gateway Flags Netif Expire -------------------------------------------------------------------------- default xxx.yyy.111.1 UGSc 0 0 fxp0 127.0.0.1 127.0.0.1 UH 0 0 lo0 xxx.yyy link#2 UC 0 0 fxp1 => xxx.yyy.111/25 link#1 UC 0 0 fxp0 => xxx.yyy.111.1 link#1 UHLW 1 0 fxp0 => -------------------------------------------------------------------------- xxx.yyy.111.29 ...:a2:59 UHLW 1 21 fxp0 725 xxx.yyy.112.50 ...:4b:a8 UHLW 0 7 fxp1 83 The first five routings are the default routings, the last two routings were added, when i did a ping from the clients to the firewall. These last two routings (surprisingly ?) have the schema: dest = ; gateway = <*client* mac address> ^^^^^^ The routing table of client0 (client1 is analogue; the firewall should be transparent, so i dont want to write it into the routings): Destination Gateway Flags Netif Expire ------------------------------------------------------------------- ...111.0 ...111.29 ...default ...111.29 The firewall rules i tried were: 1. allow all from any to any 2. allow all from client0 to client1 in via NIC0 allow all from -"- out via NIC1 allow all from client1 to client0 in via NIC1 allow all from -"- out via NIC0 In both cases pinging between firewall and client0/1 works, but pinging between the two clients fails (in case of *directly* connected clients (without firewall), ping works with the above configuration). "tcpdump" (running on the firewall) shows, that the ping request reaches the firewall at the appropriate NIC, but there's no output to the other NIC (i.e. no forwarding). PS: Another strange thing: If the firewall NICs are both set to the ip address ...111.9 via *rc.conf*, the pinging from client1 to the firewall via NIC-1 does *not* work after booting. But if i *then* set the ip address manually (ifconfig), the following error message appears ...: /kernel: rtinit: wrong ifa (0xc0e00480) was (0xc0e00700) ... but ping works (!). Any suggestions ? Thanks in advance: Toni. PPS: Excerpt of my /etc/rc.conf: --------------- ifconfig_fxp1="inet xxx.yyy.111.9 netmask 255.255.255.128" ifconfig_fxp0="inet xxx.yyy.111.9 netmask 255.255.255.128" hostname="aaa.bbb.ccc.ddd" router_enable="NO" gateway_enable="YES" defaultrouter="xxx.yyy.111.1" firewall_enable="YES" tcp_extensions="NO" ---------------- Additions to the GENERIC kernel: -------------------- options IPFIREWALL options IPFIREWALL_VERBOSE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message