From owner-freebsd-questions@FreeBSD.ORG Sat Sep 23 13:41:10 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9737C16A403 for ; Sat, 23 Sep 2006 13:41:10 +0000 (UTC) (envelope-from a.pirko@inode.at) Received: from mx.inode.at (lb01nat16.inode.at [62.99.145.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF88043D4C for ; Sat, 23 Sep 2006 13:41:09 +0000 (GMT) (envelope-from a.pirko@inode.at) Received: from [85.124.24.139] (port=10519 helo=[192.168.1.11]) by smartmx-14.inode.at with esmtp (Exim 4.50) id 1GR7ki-0007T4-DN; Sat, 23 Sep 2006 15:41:08 +0200 Message-ID: <45153971.90406@inode.at> Date: Sat, 23 Sep 2006 15:41:05 +0200 From: Armin Pirkovitsch User-Agent: Thunderbird 1.5.0.7 (X11/20060916) MIME-Version: 1.0 To: ExTaZyTi References: <468d29450609230242r4c3f6d0w5f1a24d11d604bd3@mail.gmail.com> In-Reply-To: <468d29450609230242r4c3f6d0w5f1a24d11d604bd3@mail.gmail.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Please Help, My natd/firewall Not Work :( X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Sep 2006 13:41:10 -0000 ExTaZyTi wrote: > Hi again, > > I have problem with my network, I use 2 Network Cards in my FreeBSD > computer > and 1 Network Cards in WinXP Prof sp2, > one of the network card - rl0 is my real static ip address with DHCP, 2 > network card is - rl1 is my local gateway ip: 192.168.0.1, > I don't set the gateway for the rl1, just ip: 192.168.0.1, DNS from the > ISP, > mask: 255.255.255.0,.. > I precompiled my kernel with options FIREWALL, IPDIVER, > IPFIREWALL_DEFAULT_TO_ACCEPT, IPFIREWALL_VERBOSE. > --------- > my /etc/rc.conf is: > --------- > gateway_enable="YES" > firewall_enable="YES" > firewall_script="/etc/firewall.sh" > natd_enable="YES" > natd_interface="rl1" > natd_flags="" > sendmail_enable="NONE" > hostname="root.extremebg.biz" > ifconfig_rl0="DHCP" > linux_enable="YES" > sshd_enable="YES" > usbd_enable="YES" > inetd_enable="NO" > ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" > hostname="root.extremebg.biz" > --------- > my /etc/firewall.sh is: > --------- > #!/bin/sh > /sbin/ipfw -f flush > /sbin/ipfw add 1000 pass all from any to any via lo0 > /sbin/ipfw add 1100 deny all from any to 127.0.0.0/8 > /sbin/ipfw add 1200 deny icmp from any to any frag > /sbin/ipfw add 1300 deny icmp from any to any in icmptype > 5,9,13,14,15,16,17 > /sbin/ipfw add 1400 deny tcp from any to any not established tcpflags fin > /sbin/ipfw add 1500 deny tcp from any to any tcpflags > fin,syn,rst,psh,ack,urg > /sbin/ipfw add 1600 deny tcp from any to any tcpflags > !fin,!syn,!rst,!psh,!ack,!urg > /sbin/ipfw add 4000 deny udp from any 137-139 to any via rl0 > /sbin/ipfw add 4100 deny udp from any to any 137-139 via rl0 > /sbin/ipfw add 5000 divert natd ip from 192.168.0.0:255.255.255.128 to any > out xmit rl1 > /sbin/ipfw add 5100 divert natd ip from any to 192.168.0.1 you should have a look at http://www.freebsddiary.org/ipfw.php - especially the natd divert part (your divert uses the wrong interface imho) > /sbin/ipfw add 5500 deny all from 192.168.0.0/24 to not > 192.168.0.0/2480,21,443 > /sbin/ipfw add 600 allow all from any to any i guess the last rule was just for test purpose, if not - first rule that matches takes it - which means rule number 600 would "kill" your whole firewall > --------- > my ifconfig is: > --------- > rl0: flags=8843 mtu 1500 > options=8 > inet6 fe80::2c0:26ff:fe5e:72a4%rl0 prefixlen 64 scopeid 0x1 > inet 85.239.153.142 netmask 0xffffff80 broadcast 85.239.153.255 > ether 00:c0:26:5e:72:a4 > media: Ethernet autoselect (100baseTX ) > status: active > rl1: flags=8843 mtu 1500 > options=8 > inet6 fe80::2e0:4cff:fe3c:f2f%rl1 prefixlen 64 scopeid 0x2 > inet 192.168.0.1 netmask 0xffffff80 broadcast 192.168.0.127 > ether 00:e0:4c:3c:0f:2f > media: Ethernet autoselect (100baseTX ) > status: active > plip0: flags=108810 mtu 1500 > lo0: flags=8049 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > inet 127.0.0.1 netmask 0xff000000 > --------- > my /etc/sysctl.conf is: > --------- > net.inet.ip.forwarding=1 > --------- > My network ISP gateway is: 85.239.153.129, submask: 255.255.255.128, my > static real ip is: 85.239.153.142, my ISP DNS server is: > 85.239.155.1. > --------- > > my pc start natd successfully, and other services .. > -- > > my WinXP network configuration is: > > DNS 85.239.155.1, gateway: 192.168.0.1, mask: 255.255.255.0, ip addess: > 192.168.0.2. > > I connected my computers in LAN, but not going traffic from my freebsd to > the windows :( > I don't know how to route traffic from FreeBSD to the windows :( > please help -- Armin Pirkovitsch a.pirko@inode.at