From owner-freebsd-questions Mon Apr 29 5: 3:40 2002 Delivered-To: freebsd-questions@freebsd.org Received: from axel.truedestiny.net (a185066.upc-a.chello.nl [62.163.185.66]) by hub.freebsd.org (Postfix) with ESMTP id 0755737B400 for ; Mon, 29 Apr 2002 05:03:34 -0700 (PDT) Received: by axel.truedestiny.net (Postfix, from userid 1000) id 307B549AB2; Mon, 29 Apr 2002 14:03:45 +0200 (CEST) Date: Mon, 29 Apr 2002 14:03:45 +0200 From: Axel Scheepers To: Jimmy Cc: freebsd-questions@freebsd.org Subject: Re: ipfilter+ipfw Message-ID: <20020429140344.E61218@mars.thuis> Reply-To: Axel Scheepers References: <20020426143406.5d9ede72.jimmy@tricom.com.ph> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020426143406.5d9ede72.jimmy@tricom.com.ph>; from jimmy@tricom.com.ph on Fri, Apr 26, 2002 at 02:34:06PM +0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Apr 26, 2002 at 02:34:06PM +0800, Jimmy wrote: > Hi, > > I've configure my FreeBSD-4.5-STABLE firewall host, and I installed 4 NIC cards on it and I'm using ipfilter to NAT and packet filter & ipfw to bridge and as a traffic shaper. Here are the following list of my NIC card: > > fxp0=localnet1(192.168.100.0/24)nat > xl0=external interface connected to dsl modem > xl1=localnet2(192.168.200.0/24)nat > xl2=filter bridge to xl0 > > The outside world can see my host connected to the bridge NIC and vice versa, except my localnet1 and localnet2. Do I missed something in my configuration? How can I connect my localnet1 & 2 to talk to host connected to xl2 which is being bridge. Hi, It is general a bad idea to mix ipf and ipfilter, ipfilter and ipnat combo works directly on the kernel tables, while ipf runs in userspace and is thus somewhat slower. The 192.168.x.x aren't routed on the internet, and must be remangled to the modem's ip. (NAT) This seems to go wrong. At my place I have ipfilter/ipnat where ipnat does the following: map 192.168.0.0/16 -> 0/32 portmap auto map 192.168.0.0/16 -> 0/32 proxy ftp rdr 0.0.0.0/0 port 80 -> 192.168.0.5 port 80 which directs all traffic to another host in my local lan. You can use tcpdump to see what packets are being forwarded (did you sysctl -w net.inet.ip.forwarding=1?) A couple of extra debug generating rules isn't bad either, to see what gets denied and what goes through. Probably best solution is to stick with one of the two firewalls, instead of using both at the same time. > > TIA, > > Jimmy > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message Gr, -- Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net a.scheepers@iae.nl http://axel.truedestiny.net/~axel ------------------------------------------ A fanatic is one who can't change his mind and won't change the subject. -- Winston Churchill ------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message