From owner-freebsd-questions Wed Jun 28 19:49:53 2000 Delivered-To: freebsd-questions@freebsd.org Received: from bns.bnswest.net (bns.bnswest.net [204.245.2.2]) by hub.freebsd.org (Postfix) with ESMTP id 2A0FE37C3D0 for ; Wed, 28 Jun 2000 19:49:47 -0700 (PDT) (envelope-from wildcard@bnswest.net) Received: from bnswest.net (dial142.bnswest.net [204.245.2.142]) by bns.bnswest.net (8.9.0/8.9.0) with ESMTP id NAA03059; Wed, 28 Jun 2000 13:48:01 -0700 (MST) Message-ID: <395AB9BF.C0618989@bnswest.net> Date: Wed, 28 Jun 2000 19:51:43 -0700 From: "Robert M. Shields" X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Daniel J Cain Jr." Cc: freebsd-questions@FreeBSD.org Subject: Re: DSL / Routing / ipfw issues References: <395A99D5.86C65388@bnswest.net> <003c01bfe16e$5729e9c0$0200a8c0@home.matrix.oss.uswest.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I had the firewall box enabled as a gateway with NAT onto the 2nd network to begin with... ( I guess that was relevant info, huh? ) I could ping the fxp0 interface from any system on the LAN, but when I tried to reach the 675 on the doze boxes, the packet would always time out. Which is why I was looking into turning the firewall into a network bridge, to avoid all that hoopla with running NAT twice. It's my understanding while acting a a bridge the firewall can just pass packets back and forth between networks, just as if they were physically connected, without any name translation or routing needed. Or should I just say screw it, loose the firewall and use the NAT and packet filtering in the 675? Thanks for the input though, Robert "Daniel J Cain Jr." wrote: > It would strike me that when a packet comes from the WinBox the 675 sees a > packet with a source IP of 192.x.x.x and it's local interfaces are within > 10.x.x.x and . It would not know how to get back to the Win > Box to respond. I haven't played with NIC 2 NIC traffic yet (or ipfw), but > I ran into a problem when I first turned BSD into gateway for NIC 2 ppp it > wasn't passing traffic between the interfaces. /etc/rc.conf > GATEWaY_ENABLE="YES" fixed this though I believe. With NAT on the 675 I > would feel comfortable with my systems being secure behind the 675 from any > traffic that is initiated from the Internet, static ip block though without > NAT on the 675 would need ipfw though. Some sort of NAT would have to occur > on the BSD box (don't know if ipfw does this) to change source IP of packets > to IP of fxp0, which would then get changed to the IP of wan0-0 on the way > out to the Internet, all this would have to happen in the reverse (from the > NAT tables) to get all the way back to the Win Box. > > Cain's $.02 worth > > ----- Original Message ----- > From: "Robert M. Shields" > To: > Sent: Wednesday, June 28, 2000 7:35 PM > Subject: DSL / Routing / ipfw issues > > > Hello, > > > > I'm having issues with FreeBSD 3.2 - STABLE and a newly acquired cisco > > 675 DSL router. What I'm trying to do is drop the BSD box in-between > > the 675 & my network to act as an ip firewall, with the topology looking > > like such: > > > > -------- --------- > > ------- ----- > > | MyLan| ------- pn0 | IPFW | fxp0 ----- eth0| Cisco|wan0-0 -----| > > ISP| > > --------- --------- > > ------- ------ > > > > My lan has 3 other systems connected 2 windoze clients & a FBSD > > 3.2-stable Box providing DNS (as a shadow domain ) HTTP, FTP & telnet > > services. The DNS is configured to provide lookups for my own shadow > > domain, and forward anything else onto the ISP's DNS. > > > > pn0 has a internal ip address of 192.168.123.3 > > fxp0 has an external (to my client network) ip of 10.0.0.1 > > eth0 has an ip of 10.0.0.2 > > wan0-0 is set to DHCP an address from my ISP. > > > > Oh and the 675 is setup for NAT. > > > > What I'd like to know are what is the best (i.e. simplest) possible > > configurations for my ipfw in this situation. Would it be better to > > bridge the two networks together and have ipfw filter packets or can > > this be done easily by routing packets between the two interfaces? > > > > I had routing setup to begin with and was able to ping the 675 from my > > FreeBSD box (ip 192.168.123.1) but when I tried to ping the 675 from > > both of my windoze systems, the packets timed out. (Yes, I had the > > default gateway address of 192.168.123.3 setup in the windoze > > networking config.) > > > > Also, what should the cisco's & the firewalls routing tables look like > > with this setup? > > > > I've read the online tutorials at freebsd.org & mostgraveconcern.com > > (the cheat sheets), as well as relevant info in "TCP/IP networking" & > > "Building Internet Firewalls" both by O'reilly, but it seems I'm on on > > information overload right now ... ... > > > > Oh and my rc.firewall script looks almost similar to the one from the > > cheatsheets. I'll post it if you need it. > > > > Any help is greatly appreciated. > > > > Thanks, > > > > Robert M. Shields > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message