From owner-freebsd-questions Mon Apr 29 17:16:41 2002 Delivered-To: freebsd-questions@freebsd.org Received: from phoenix.tricom.com.ph (phoenix.tricom.com.ph [203.167.87.58]) by hub.freebsd.org (Postfix) with SMTP id B3A8137B416 for ; Mon, 29 Apr 2002 17:16:35 -0700 (PDT) Received: (qmail 22638 invoked from network); 30 Apr 2002 00:16:34 -0000 Received: from unknown (HELO orion.tricom.com.ph) (203.167.87.59) by phoenix.tricom.com.ph with SMTP; 30 Apr 2002 00:16:34 -0000 Date: Tue, 30 Apr 2002 08:20:04 +0800 From: Jimmy To: Axel Scheepers Cc: freebsd-questions@freebsd.org Subject: Re: ipfilter+ipfw Message-Id: <20020430082004.6bb40e15.jimmy@tricom.com.ph> In-Reply-To: <20020429140344.E61218@mars.thuis> References: <20020426143406.5d9ede72.jimmy@tricom.com.ph> <20020429140344.E61218@mars.thuis> Organization: Tricom X-Mailer: Sylpheed version 0.7.5 (GTK+ 1.2.10; i386-portbld-freebsd4.5) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 29 Apr 2002 14:03:45 +0200 Axel Scheepers wrote: > On Fri, Apr 26, 2002 at 02:34:06PM +0800, Jimmy wrote: > > Hi, > > > > I've configure my FreeBSD-4.5-STABLE firewall host, and I installed 4 NIC cards on it and I'm using ipfilter to NAT and packet filter & ipfw to bridge and as a traffic shaper. Here are the following list of my NIC card: > > > > fxp0=localnet1(192.168.100.0/24)nat > > xl0=external interface connected to dsl modem > > xl1=localnet2(192.168.200.0/24)nat > > xl2=filter bridge to xl0 > > > > The outside world can see my host connected to the bridge NIC and vice versa, except my localnet1 and localnet2. Do I missed something in my configuration? How can I connect my localnet1 & 2 to talk to host connected to xl2 which is being bridge. > > Hi, > > It is general a bad idea to mix ipf and ipfilter, ipfilter and ipnat combo > works directly on the kernel tables, while ipf runs in userspace and is thus > somewhat slower. Correction pls. ipfw and ipfilter. I don't have a problem with the speed, in fact it gives me a speed and equal distribution of bandwidth -). > The 192.168.x.x aren't routed on the internet, and must be remangled to the > modem's ip. (NAT) This seems to go wrong. At my place I have ipfilter/ipnat > where ipnat does the following: > map 192.168.0.0/16 -> 0/32 portmap auto > map 192.168.0.0/16 -> 0/32 proxy ftp > rdr 0.0.0.0/0 port 80 -> 192.168.0.5 port 80 Yes, we have the same ipnat.rule and my nat works perfectly, but not with filter bridge, as CJC said, it is evil to nat filter bridge. > > which directs all traffic to another host in my local lan. > > You can use tcpdump to see what packets are being forwarded (did you sysctl -w > net.inet.ip.forwarding=1?) Yes, I've enable packet forwarding and its A1 working. > > A couple of extra debug generating rules isn't bad either, to see what gets > denied and what goes through. > Probably best solution is to stick with one of the two firewalls, instead of > using both at the same time. I don't think so, ipfw & ipfilter is a good combination, and I think most firewall host and dmzs are using this and it is mention in IPFilter FAQ (http://home.earthlink.net/~jaymzh666/ipf/IPFfreebsd.html#14). > > > > > TIA, > > > > Jimmy > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > Gr, > -- > Axel Scheepers > UNIX System Administrator > > email: axel@axel.truedestiny.net > a.scheepers@iae.nl > http://axel.truedestiny.net/~axel > ------------------------------------------ > A fanatic is one who can't change his mind and won't change the > subject. > -- Winston Churchill > ------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message regards, Jimmy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message