Date: Fri, 19 Mar 1999 13:22:05 -0800 From: Jeff Yeo <Jeff_Yeo@pml.com> To: "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: ipfw rule blocking connection Message-ID: <8E6C9AEA17A8D2118D6E00A0C99869402AF48A@HERMES.pml.com>
next in thread | raw e-mail | index | archive | help
I hate to send yet another ipfw/natd question to the list, but
after searching the archives and reading 50 posts without
finding an answer (that I could recognize, anyway) ...
I'm running FreeBSD 2.2.8-RELEASE as a firwall using ipfw
and natd and /etc/rc.firewall as a starting point. I'm using
192.168.1.0/24 on the internal network, and an Internet
IP address on the external interface. Using ipfw show, I've
noticed that the following rule is blocking replies from the
external interface:
ipfw add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
I'm assuming that natd changes the destination address on the
packet and reinjects it into the packet stream. When it hits the
above rule, it appears that there has been a packet received on
${oif} with a destination of 192.168.1.x and the packet is dropped.
Is this correct?
I'd like to explicitly deny any packets received on ${oif} with a
destination of 192.168.x.y (and still be able to access the 'Net
from inside, of course). Is this possible? I've tried a number of
variations on this rule and have not been able to come up with
anything that does what I want and still allow inbound packets.
Is simply omitting the above rule a reasonable thing to do? Upon
reflection, it seems that (a) routers on the Internet should not
forward pakcets with a destination network of 192.168.0.0/16 ,
and (b) the firewall's external interface will not receive packets
with a destination address other than it's own (oops it is a gateway,
so this isn't that safe either). Hmmmm.
Can anyone offer any suggestions?
Thanks,
Jeff Yeo
PS: I agree with the earlier posting that suggested a more detailed
ipfw/natd FAQ/tutorial/handbook section might be in order. There
are a lot of postings on these two subjects.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8E6C9AEA17A8D2118D6E00A0C99869402AF48A>