Date: Wed, 06 Jul 2011 11:43:54 -0700 From: Chuck Swiger <cswiger@mac.com> To: Marek Salwerowicz <marek_sal@wp.pl> Cc: freebsd-net@freebsd.org Subject: Re: ipfw + 2 LANs Message-ID: <669B9148-C9D2-41F3-B050-F4C9DE928380@mac.com> In-Reply-To: <4e14a2ed555a94.24022420@wp.pl> References: <4e14a2ed555a94.24022420@wp.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 6, 2011, at 11:01 AM, Marek Salwerowicz wrote: > The idea is to share the Internet connection to both networks, and block any traffic between them. > > I was trying to set up the firewall like this: > > #!/bin/sh > > cmd="ipfw -q" > > $cmd flush > > $cmd add 50 check-state > > $cmd add 80 divert natd ip from any to any via em0 > > $cmd add 100 allow ip from any to me > $cmd add 101 allow ip from me to any > > $cmd add 200 allow ip from 10.0.1.0/24 to 10.0.0.0/24 keep-state > $cmd add 300 allow ip from 10.0.2.0/24 to 10.0.0.0/24 keep-state > > But it doesn't really work for me These rules don't provide any means for LAN traffic to pass outside, just traffic to and from the firewall and to and from the 10.0.1.0/24 & 10.0.2.0/24 subnets. > when I set at the end: > > $cmd add 500 allow ip from any to any Yes, but that's too broad. Try more like: $cmd add 500 deny ip from 10.0.1.0/24 to 10.0.2.0/24 $cmd add 510 deny ip from 10.0.2.0/24 to 10.0.1.0/24 $cmd add 520 allow ip from any to any Again, rule 520 is also too broad, but you can test and confirm this is allowing NAT traffic to and from the Internet, but blocking the subnets from communicating. If that is working, replace 520 with more narrowly tailored allow and deny rules. Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?669B9148-C9D2-41F3-B050-F4C9DE928380>