From owner-freebsd-questions Mon Feb 25 17:10:13 2002 Delivered-To: freebsd-questions@freebsd.org Received: from ulixes.esc.ac.at (ulixes.esc.ac.at [193.170.216.34]) by hub.freebsd.org (Postfix) with ESMTP id 8BFEB37B400 for ; Mon, 25 Feb 2002 17:10:02 -0800 (PST) Received: from ulixes.esc.ac.at (localhost.esc.ac.at [127.0.0.1]) by ulixes.esc.ac.at (8.12.2/8.12.2) with ESMTP id g1Q19uWS038702 for ; Tue, 26 Feb 2002 02:09:56 +0100 (CET) (envelope-from flo@ulixes.esc.ac.at) Received: (from flo@localhost) by ulixes.esc.ac.at (8.12.2/8.12.2/Submit) id g1Q19u7V038701 for freebsd-questions@freebsd.org; Tue, 26 Feb 2002 02:09:56 +0100 (CET) (envelope-from flo) Date: Tue, 26 Feb 2002 02:09:56 +0100 From: Florian Nigsch To: freebsd-questions@freebsd.org Subject: private lan + natd: what to divert Message-ID: <20020226020956.A38543@nigsch.com> Mail-Followup-To: Florian Nigsch , freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all, I just spent the whole austrian evening and part of the night=20 setting up a new firewall for my home lan. What a job.... I have a FreeBSD 4.5-STABLE with two ethernet cards ed0 and ed1 ed0: 1.2.3.4 ed1: 192.168.2.1 I have natd running with natd.conf reading: deny_incoming no log_denied use_sockets same_ports unregistered_only and a firewall script wit the following rules: add 100 allow ip from any to any via lo0 ... some anti-spoof rules ... add 4400 skipto 5000 ip from 192.168.2.0/24 to 1.2.3.4 add 4500 divert 8668 ip from 192.168.2.0/24 to not 192.168.2.0/24 add 4600 divert 8668 ip from not 192.168.2.0/24 to 1.2.3.4 add 5000 check-state add allow tcp from any to any established add allow ip from any to any via ed1 keep-state add allow ip from 1.2.3.4 to any keep-state =2E.. some other rules ... add deny 65530 deny log ip from any to any -> With these rules I am not able to browse websites from behind the firewall. However, and that I find a bit confusing, I can do a=20 mailcheck at my mailserver with Eudora (with TLS). I can ping=20 outside hosts (like www.yahoo.com), name resolution is working but I can't seem to get www access working. -> If I change the divert rules instead of two separate rules to add 4500 divert 8668 ip from any to any via ed0 everything is working just wonderful. This rule works fine but it also diverts the traffic for the public IP address, which isn't really necessary. -> I think that if each connection is a dynamic one, is there the need to have a rule to allow established tcp packets? What is wrong with those two divert rules? Shouldn't they work as I expect them to? ;) Or could it be that it has something to do with the dynamic rules? Thanks for any comments in advance, flo --=20 --- Florian Nigsch http://flo.nigsch.com/ PGP key: http://flo.nigsch.com/fnigsch.asc --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8euBjFB5yp9/3jW0RAtt0AJ97JFjgYwTIH3wpgcyhSbK2W7WnFACeISzY fxyvv4JFe29TN6LArDK0X/E= =JoXa -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message