Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Mar 1999 15:04:25 -0600
From:      Guy Helmer <ghelmer@scl.ameslab.gov>
To:        wildcardus freakis <wildcard@dax.belen.k12.nm.us>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: 3.1R firewall wierdness.
Message-ID:  <Pine.SGI.4.05.9903101454570.15928-100000@demios.scl.ameslab.gov>
In-Reply-To: <Pine.BSF.3.96.990310131201.28959A-100000@dax.belen.k12.nm.us>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 10 Mar 1999, wildcardus freakis wrote:

> 	Ran into something wierd, when I enable firewall type "simple" all
> network functionality fails...
> 
> the interface setup looks right to me?
> 	oif="ep0"
> 	onet="206.206.121.0"
> 	omask="255.255.255.0"
> 	oip="206.206.121.43"
> 	
> 	iif="ep0"
> 	inet="192.168.0.0"
> 	imask="255.255.0.0"
> 	iip="192.168.250.1"
> 
> I didn't change any of the rules at all, and I also already added the
> ifconfig_ep0_alias for 192.168.250.1 into rc.conf I haven't tried NAT yet
> but that is my eventual goal, I need a working machine before I do that.

There is a problem with running the supplied "simple" rules on a machine
where both the internal and external addresses are on the same interface.
The first two rules that stop spoofing will match all packets entering the
single interface, so you'll have to comment out the first two rules (the
spoofing rules).  You'll also need to comment out the next six rules (the
RFC1918 rules) since you are using an RFC1918 address for the inside
network.  The rule

    # Reject&Log all setup of incoming connections from the outside
    $fwcmd add deny log tcp from any to any in via ${oif} setup

will need work as well; you might be able to replace it with something
like this:

    # Reject&Log all setup of incoming connections from the outside
    $fwcmd add allow tcp from ${inet}:${imask} to any setup
    $fwcmd add allow tcp from ${oip} to any setup
    $fwcmd add deny log tcp from any to ${inet}:${imask} setup
    $fwcmd add deny log tcp from any to ${oip} setup

Hope this gets you started,
Guy

Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science 
Research Assistant, Ames Laboratory       ---         ghelmer@scl.ameslab.gov
Research Assistant, Dept. of Computer Science   ---   ghelmer@cs.iastate.edu
http://www.cs.iastate.edu/~ghelmer



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SGI.4.05.9903101454570.15928-100000>