Date: Thu, 29 Apr 2004 21:30:55 +0000 From: "Andrea E." <andrea@ae4u.de> To: freebsd-questions@FreeBSD.org Subject: ipfw with NAT and ARP Message-ID: <4091740F.7000908@ae4u.de>
next in thread | raw e-mail | index | archive | help
Hi, I am a newbie and my question is very easy perhaps. I work with FreeBSD 5.2.1 I would like to configure a firewall with to interfaces (xl0 = LAN, xl1 = External) For NAT I have configured like discribed in the manualpage of natd: ipfw -f flush ipfw add divert natd all from any to any via xl1 ipfw add allow all from any to any -> all is fine. But, I wont so a simple firewall and for this reason, first I want to configure the ICMP-protocol: ip_ext => External IP-Address ipfw -f flush ipfw add divert natd all from any to any via xl1 ipfw add allow icmp from $ip_ext to any icmptypes 8 out via xl1 ipfw add allow icmp from any to $ip_ext icmptypes 0 in via xl1 -> It's not ok. With "ethereal" no pakets are going out (test from an other system, connected with a HUP.) When testing "ping" from external to external IP-Adress of my firewall, the ARP-request: to broadcast Who has xxx.xxx.xxx.xxx? Tell xxx.xxx.xxx.xxx fails -> seems to have a problem to let ARP through the firewall. Above -> "ipfw add allow all from any to any" let ARP through the firewall. So I think, thats the configuration of the rest of my computer (like kernel, rc.conf, etc. ist ok) And there are no ARP-protocol in /etc/protocols, so I don't know, what I can do now. There is a bug: After restarting system with above configuration of icmp-protocol no ping-request is going out. After a flush of all rules and configuring of "ipfw add allow all from any to any" ping-request get an answer. Very interesting is to flush all rules und to configure the firewall like the first configuring (to allow special rules for icmp-protocol -> all works very fine. ping-request get an answer. Whenn restarting system the ping-request get no answer again, I mean, the ping-request is not send out. Can anybody help me? Hope to get an answer. I hope you can understand me, my English isn't very well. Greatings from Berlin, Andrea E.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4091740F.7000908>