Date: Sat, 19 Aug 2000 23:34:58 -0700 (PDT) From: Todd Backman <todd@flyingcroc.net> To: Dan Debertin <airboss@bitstream.net> Cc: freebsd-net@freebsd.org Subject: Re: Routing firewall w/ipfw questions Message-ID: <Pine.BSF.4.21.0008192313240.27785-100000@security1.noc.flyingcroc.net> In-Reply-To: <Pine.SGI.4.21.0008192238200.11137-100000@copper.air-boss.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 19 Aug 2000, Dan Debertin wrote: > First, as this is not exactly security-related, a better forum for this is > -net (or -questions, but that list tends to have more questions than > answers ;). My bad. Moving to -net...thanks for the tap. > > Now, on to your question: > > > > > Question: > > Is my reasoning flawed in regards to the routing portion of this setup? > > Your subnetting plan looks fine to me. One thing that strikes me, though, > is that you need to have a router on the external side who knows that your > FreeBSD box is the next-hop router for the post-firewall /24. Is there > such a router in your setup? For example, let's say that your firewall's > external interface is 1.1.1.6/29, and the internal is 1.1.2.1/24. There > should be a router with an interface on the 1.1.1.0/29 subnet that "knows" > that 1.1.2.0/24 is reached via 1.1.1.6. In cisco syntax this would be > > ip route 1.1.1.0 255.255.255.0 1.1.1.6 > > or via the UNIX "route" command: > route add -net 1.1.2.0 -netmask 255.255.255.0 1.1.1.6 Yes, that was done and verified. > > Also, make sure you have a default gateway on your firewall pointing to > that external router. I am also assuming you've done the basic lower-layer > checks for link lights, cable integrity, etc. Yes. > > > Thanks for any help you might provide. Upon successful completion of this > > project I will document all *correct* procedures and post as I have not > > found any documentation on setting ipfw up for protecting an internal /24 > > with a different subnet on the outside interface. > > We've been doing this successfully for quite some time, so I assure you > it's fairly standard ;). ;^) I could not find any documentation regarding this type of setup other than the "simple" section of rc.firewall. I will ditch my rules tomorrow, leave everything open then try the routing again. The main thing that I wanted to find out was: is the routing plan correct? (just had to rule it out as I am not the route man I would like to be...if they would only issue me another 24hrs in a day I would be fine ;^) It had me baffled as when working with the guy on the inside net during testing; he could gain access to and from the outside (due to his first established connection) but no access from the outside could be established even after adding as the last rulesets: allow ip from any to any Something to be said about "starting over" ;^) Thanks for your help Dan. - Todd > > > ~Dan D. > -- > > ++ Dan Debertin > ++ Senior Systems Administrator > ++ Bitstream Underground, LLC > ++ airboss@bitstream.net > ++ (612)321-9290 > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008192313240.27785-100000>