Date: Tue, 30 Apr 2002 08:20:04 +0800 From: Jimmy <jimmy@tricom.com.ph> To: Axel Scheepers <axel@axel.truedestiny.net> Cc: freebsd-questions@freebsd.org Subject: Re: ipfilter+ipfw Message-ID: <20020430082004.6bb40e15.jimmy@tricom.com.ph> In-Reply-To: <20020429140344.E61218@mars.thuis> References: <20020426143406.5d9ede72.jimmy@tricom.com.ph> <20020429140344.E61218@mars.thuis>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Apr 2002 14:03:45 +0200 Axel Scheepers <axel@axel.truedestiny.net> wrote: > On Fri, Apr 26, 2002 at 02:34:06PM +0800, Jimmy wrote: > > Hi, > > > > I've configure my FreeBSD-4.5-STABLE firewall host, and I installed 4 NIC cards on it and I'm using ipfilter to NAT and packet filter & ipfw to bridge and as a traffic shaper. Here are the following list of my NIC card: > > > > fxp0=localnet1(192.168.100.0/24)nat > > xl0=external interface connected to dsl modem > > xl1=localnet2(192.168.200.0/24)nat > > xl2=filter bridge to xl0 > > > > The outside world can see my host connected to the bridge NIC and vice versa, except my localnet1 and localnet2. Do I missed something in my configuration? How can I connect my localnet1 & 2 to talk to host connected to xl2 which is being bridge. > > Hi, > > It is general a bad idea to mix ipf and ipfilter, ipfilter and ipnat combo > works directly on the kernel tables, while ipf runs in userspace and is thus > somewhat slower. Correction pls. ipfw and ipfilter. I don't have a problem with the speed, in fact it gives me a speed and equal distribution of bandwidth -). > The 192.168.x.x aren't routed on the internet, and must be remangled to the > modem's ip. (NAT) This seems to go wrong. At my place I have ipfilter/ipnat > where ipnat does the following: > map 192.168.0.0/16 -> 0/32 portmap auto > map 192.168.0.0/16 -> 0/32 proxy ftp > rdr 0.0.0.0/0 port 80 -> 192.168.0.5 port 80 Yes, we have the same ipnat.rule and my nat works perfectly, but not with filter bridge, as CJC said, it is evil to nat filter bridge. > > which directs all traffic to another host in my local lan. > > You can use tcpdump to see what packets are being forwarded (did you sysctl -w > net.inet.ip.forwarding=1?) Yes, I've enable packet forwarding and its A1 working. > > A couple of extra debug generating rules isn't bad either, to see what gets > denied and what goes through. > Probably best solution is to stick with one of the two firewalls, instead of > using both at the same time. I don't think so, ipfw & ipfilter is a good combination, and I think most firewall host and dmzs are using this and it is mention in IPFilter FAQ (http://home.earthlink.net/~jaymzh666/ipf/IPFfreebsd.html#14). > > > > > TIA, > > > > Jimmy > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > Gr, > -- > Axel Scheepers > UNIX System Administrator > > email: axel@axel.truedestiny.net > a.scheepers@iae.nl > http://axel.truedestiny.net/~axel > ------------------------------------------ > A fanatic is one who can't change his mind and won't change the > subject. > -- Winston Churchill > ------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message regards, Jimmy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020430082004.6bb40e15.jimmy>