Date: Tue, 7 Nov 2000 18:44:26 +0100 (CET) From: Toni Pisjak <pisjak@dbai.tuwien.ac.at> To: <freebsd-questions@freebsd.org> Cc: <gpalmer@freebsd.org>, <doc@freebsd.org> Subject: Problem: Setup ipfw Firewall Message-ID: <Pine.BSF.4.30.0011071443460.54369-100000@procyon.dbai.tuwien.ac.at>
next in thread | raw e-mail | index | archive | help
Hello !
I have problems to setup a firewall on FreeBSD-4.1., though following the
directions in the FreeBSD handbook. I made a special (e.g. simple) test
configuration, shown in the following draft (firewall between two clients,
shown with abbreviated IP address / MAC address):
client-0 firewall client-1
.111.29/:4b:a8----------.111.9/:97:55
.111.9/:9b:1f-----------.112.50/:a2:59
Because of the kernel variable net.inet.ip.forwarding set to 1, i think,
that packets arriving on one firewall NIC should be forwarded to the other
NIC, considering the following configuration:
The firewall routing table:
Destination Gateway Flags Netif Expire
--------------------------------------------------------------------------
default xxx.yyy.111.1 UGSc 0 0 fxp0
127.0.0.1 127.0.0.1 UH 0 0 lo0
xxx.yyy link#2 UC 0 0 fxp1 =>
xxx.yyy.111/25 link#1 UC 0 0 fxp0 =>
xxx.yyy.111.1 link#1 UHLW 1 0 fxp0 =>
--------------------------------------------------------------------------
xxx.yyy.111.29 ...:a2:59 UHLW 1 21 fxp0 725
xxx.yyy.112.50 ...:4b:a8 UHLW 0 7 fxp1 83
The first five routings are the default routings, the last two routings
were added, when i did a ping from the clients to the firewall. These last
two routings (surprisingly ?) have the schema:
dest = <client ip address> ; gateway = <*client* mac address>
^^^^^^
The routing table of client0 (client1 is analogue; the firewall should
be transparent, so i dont want to write it into the routings):
Destination Gateway Flags Netif Expire
-------------------------------------------------------------------
...111.0 ...111.29
...default ...111.29
The firewall rules i tried were:
1. allow all from any to any
2. allow all from client0 to client1 in via NIC0
allow all from -"- out via NIC1
allow all from client1 to client0 in via NIC1
allow all from -"- out via NIC0
In both cases pinging between firewall and client0/1 works, but pinging
between the two clients fails (in case of *directly* connected clients
(without firewall), ping works with the above configuration).
"tcpdump" (running on the firewall) shows, that the ping request reaches
the firewall at the appropriate NIC, but there's no output to the other
NIC (i.e. no forwarding).
PS: Another strange thing: If the firewall NICs are both set to the ip
address ...111.9 via *rc.conf*, the pinging from client1 to the firewall
via NIC-1 does *not* work after booting. But if i *then* set the ip
address manually (ifconfig), the following error message appears ...:
/kernel: rtinit: wrong ifa (0xc0e00480) was (0xc0e00700)
... but ping works (!).
Any suggestions ?
Thanks in advance: Toni.
PPS:
Excerpt of my /etc/rc.conf:
---------------
ifconfig_fxp1="inet xxx.yyy.111.9 netmask 255.255.255.128"
ifconfig_fxp0="inet xxx.yyy.111.9 netmask 255.255.255.128"
hostname="aaa.bbb.ccc.ddd"
router_enable="NO"
gateway_enable="YES"
defaultrouter="xxx.yyy.111.1"
firewall_enable="YES"
tcp_extensions="NO"
----------------
Additions to the GENERIC kernel:
--------------------
options IPFIREWALL
options IPFIREWALL_VERBOSE
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.30.0011071443460.54369-100000>