From owner-freebsd-questions  Sat May 15 11:20:57 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from almazs.pacex.net (almazs.pacex.net [204.1.219.156])
	by hub.freebsd.org (Postfix) with ESMTP id 2873914E4E
	for <freebsd-questions@freebsd.org>; Sat, 15 May 1999 11:20:52 -0700 (PDT)
	(envelope-from danielb@almazs.pacex.net)
Received: from localhost (danielb@localhost)
	by almazs.pacex.net (8.9.2/8.9.2) with SMTP id LAA07815
	for <freebsd-questions@freebsd.org>; Sat, 15 May 1999 11:20:52 -0700 (PDT)
Date: Sat, 15 May 1999 11:20:52 -0700 (PDT)
From: daniel B <danielb@pacex.net>
To: freebsd-questions@freebsd.org
Subject: RE: natd and ipfw woes!
Message-ID: <Pine.BSF.3.96.990515103645.7756A-100000@almazs.pacex.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Hi list; Please read this you may have the key to end my grief!

I have a network that looks like this:

Internet-----[  router  ]---[ep1  firewall/gateway  ep0]---[ LAN  ]

router=204.1.215.219---ep1=204.1.215.131----ep0=10.0.0.1---LAN= real IPs

ep1 is external interface with real IP
ep0 is internal interface with dummy IP  can't have two nics in the same
     subnet so I gave it a fake IP which the outside won't notice.
all machines in the LAN have real IPs
Everything is in the same subnet /27
I am trying to use ipfw with natd on a fbsd 3.1-R firewall/gateway

Kernel configured for:
options IPFIREWALL_VERBOSE
options BRIDGE
options IPDIVERT

sysctl setup:
net.inet.ip.forwarding=1
net.link.ether.bridge=0         #  not sure what the relevance is here
net.link.ether.bridge_ipfw=0    # same here is this relevant to my setup?

/etc/rc.conf
gateway_enable=YES
firewall_enable=YES
natd_enable=YES
firewall_type=open

FIREWALL RULES:
$fwcmd add 201 divert natd all from any to any via ep1
$fwcmd add 202 pass all from any to any

/etc/services ---->   natd	8668/divert

I want my inside LAN machines to keep their real IPs and want to firewall
them from the outside world. 

BUT it does not seem to work with this setup! everytime I try to ping the
router from the gateway I get ` permission denied'
I can ping both nics on the gateway from  machine itself but NOT from the
LAN. When I ping/telnet to LAN from gateway I get `permission denied`

What am I doing wrong??


Thank for your help
Dan



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message