From owner-freebsd-net Sat Aug 19 23:35:10 2000 Delivered-To: freebsd-net@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 5438D37B422 for ; Sat, 19 Aug 2000 23:35:07 -0700 (PDT) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id XAA27805; Sat, 19 Aug 2000 23:34:58 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Sat, 19 Aug 2000 23:34:58 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: Dan Debertin Cc: freebsd-net@freebsd.org Subject: Re: Routing firewall w/ipfw questions In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Aug 2000, Dan Debertin wrote: > First, as this is not exactly security-related, a better forum for this is > -net (or -questions, but that list tends to have more questions than > answers ;). My bad. Moving to -net...thanks for the tap. > > Now, on to your question: > > > > > Question: > > Is my reasoning flawed in regards to the routing portion of this setup? > > Your subnetting plan looks fine to me. One thing that strikes me, though, > is that you need to have a router on the external side who knows that your > FreeBSD box is the next-hop router for the post-firewall /24. Is there > such a router in your setup? For example, let's say that your firewall's > external interface is 1.1.1.6/29, and the internal is 1.1.2.1/24. There > should be a router with an interface on the 1.1.1.0/29 subnet that "knows" > that 1.1.2.0/24 is reached via 1.1.1.6. In cisco syntax this would be > > ip route 1.1.1.0 255.255.255.0 1.1.1.6 > > or via the UNIX "route" command: > route add -net 1.1.2.0 -netmask 255.255.255.0 1.1.1.6 Yes, that was done and verified. > > Also, make sure you have a default gateway on your firewall pointing to > that external router. I am also assuming you've done the basic lower-layer > checks for link lights, cable integrity, etc. Yes. > > > Thanks for any help you might provide. Upon successful completion of this > > project I will document all *correct* procedures and post as I have not > > found any documentation on setting ipfw up for protecting an internal /24 > > with a different subnet on the outside interface. > > We've been doing this successfully for quite some time, so I assure you > it's fairly standard ;). ;^) I could not find any documentation regarding this type of setup other than the "simple" section of rc.firewall. I will ditch my rules tomorrow, leave everything open then try the routing again. The main thing that I wanted to find out was: is the routing plan correct? (just had to rule it out as I am not the route man I would like to be...if they would only issue me another 24hrs in a day I would be fine ;^) It had me baffled as when working with the guy on the inside net during testing; he could gain access to and from the outside (due to his first established connection) but no access from the outside could be established even after adding as the last rulesets: allow ip from any to any Something to be said about "starting over" ;^) Thanks for your help Dan. - Todd > > > ~Dan D. > -- > > ++ Dan Debertin > ++ Senior Systems Administrator > ++ Bitstream Underground, LLC > ++ airboss@bitstream.net > ++ (612)321-9290 > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message