From owner-freebsd-net@FreeBSD.ORG Wed Jul 6 18:27:59 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BBDE106564A for ; Wed, 6 Jul 2011 18:27:59 +0000 (UTC) (envelope-from marek_sal@wp.pl) Received: from mx4.wp.pl (mx4.wp.pl [212.77.101.8]) by mx1.freebsd.org (Postfix) with ESMTP id E59C98FC12 for ; Wed, 6 Jul 2011 18:27:58 +0000 (UTC) Received: (wp-smtpd smtp.wp.pl 22089 invoked from network); 6 Jul 2011 20:01:17 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wp.pl; s=1024a; t=1309975277; bh=4QNbJiLLX7pgE5b/1ASnMOSlfj6Vpgg2cQek4qbYaWE=; h=From:To:Subject; b=SZeTgolpgoUXWUcumQ3DqHKWHtB8shpjvAcTbZjyv3hrbPYRf0BZrsJQPqY7XNmjk 9ZBsh/S9zKWypLQ+PmxCg3/bYOSvjcmglydCLdjtd34UvXSt8xyCM/i8+W9xU2WTs5 7kkHFYmiHbxf7bhW4DdssBn7u/gUrfGrkbmAty74= Received: from out.poczta.wp.pl (HELO localhost) ([212.77.101.240]) (envelope-sender ) by smtp.wp.pl (WP-SMTPD) with SMTP for ; 6 Jul 2011 20:01:17 +0200 Date: Wed, 06 Jul 2011 20:01:17 +0200 From: "Marek Salwerowicz" To: freebsd-net@freebsd.org Message-ID: <4e14a2ed555a94.24022420@wp.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Mailer: Interfejs WWW nowej poczty Wirtualnej Polski X-User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 Organization: Poznaj Poczte WP http://poczta.wp.pl/info-start.html X-WP-IP: 83.19.131.170 X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO 0000000 [MYM0] Subject: ipfw + 2 LANs X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 18:27:59 -0000 Hi all, I have two separate LANs (one 10.0.1.0/24 and the other 10.0.2.0/24). Both are connected to FreeBSD 8.2 router (ifaces em1 and em2). To em0 I have my ISP (10.0.0.0/24) connected. The idea is to share the Internet connection to both networks, and block any traffic between them. I was trying to set up the firewall like this: #!/bin/sh cmd="ipfw -q" $cmd flush $cmd add 50 check-state $cmd add 80 divert natd ip from any to any via em0 $cmd add 100 allow ip from any to me $cmd add 101 allow ip from me to any $cmd add 200 allow ip from 10.0.1.0/24 to 10.0.0.0/24 keep-state $cmd add 300 allow ip from 10.0.2.0/24 to 10.0.0.0/24 keep-state But it doesn't really work for me when I set at the end: $cmd add 500 allow ip from any to any It works but it allows also traffic between LANs. Regards, -- Marek Salwerowicz