Date: Sat, 19 Aug 2000 22:32:41 -0700 (PDT) From: Todd Backman <todd@flyingcroc.net> To: freebsd-security@freebsd.org Subject: Routing firewall w/ipfw questions Message-ID: <Pine.BSF.4.21.0008192142110.27579-100000@security1.noc.flyingcroc.net>
next in thread | raw e-mail | index | archive | help
Greetings! I am setting up a firewall to protect a class c network and am having difficulty with routing. Here is the scenario (ips changed to protect the guilty): Firewall box running 4.0 stable with plenty of horsepower and 2 nics. outside interface is set to xxx.xxx.xxx.83 in a /29 netmask .248 inside interface is going to be set to xxx.xxx.xxx.1 in a /24 netmask .0 gateway of inside net is currently on a virtual interface on a router with the IP of xxx.xxx.xxx.1 Problem: When testing the firewall today I had one of the neteng guys shut the virt int on the router, re-route the traffic destined for the inside net to the outside interface of the firewall and brought up the xxx.xxx.xxx.1 on the inside interface. After that was accomplished I had someone test connectivity outbound from within the /24 that I am attempting to protect and all was fine. However, inbound traffic to the outside interface and/or the internal /24 was not passing. I could not even traceroute to the outside interface at all. At that time I figured that I had not spent enough time on my rules and went ahead and set ipfw to pass ip from any to any. Still no luck. Question: Is my reasoning flawed in regards to the routing portion of this setup? I made sure that ipforwarding was enabled as well. (please let me know if you need more info to assist with this problem) I am not a routing whiz so I'll need the big thump with the clue bat for sure... Thanks for any help you might provide. Upon successful completion of this project I will document all *correct* procedures and post as I have not found any documentation on setting ipfw up for protecting an internal /24 with a different subnet on the outside interface. - Todd BTW...has anyone discussed some sort of document pool for various projects that freebsd users implement? There are many of us out here that have done some pretty cool stuff and if we all dump our docs somewhere with a search tool on the front end...? I do understand that many of our documentation methods (or lack there of) are diff but I think that the variety of directions and slightly diff circumstances regarding the implementations are a plus. I certainly would not mind sifting through others' docs looking for the right match to any of my hair-pulling projects. Just my .02. And, yes, I am willing to donate time/resources (and my docs) to the project. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008192142110.27579-100000>