Date: Fri, 04 Aug 2000 12:42:02 -0700 From: Kent Stewart <kstewart@urx.com> To: Ruslan Ermilov <ru@sunbay.com> Cc: rshea@opendoor.co.nz, freebsd-questions@FreeBSD.ORG Subject: Re: NATD/"spoofing" and IPFW Message-ID: <398B1C8A.7C18B12D@urx.com> References: <200008040857.e748va105786@deborah.paradise.net.nz> <20000804171753.A522@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ruslan Ermilov wrote: > > On Fri, Aug 04, 2000 at 08:47:34PM +1200, rshea@opendoor.co.nz wrote: > > Hi - I'm new to FreeBSD and trying to make my FreeBSD machine > > act as a gateway/firewall to the office LAN. The connection to the > > i'net is via a cable modem with a fixed IP address. I am using > > IPFW as the firewall and in rc.conf I have set firewall_type to > > "simple". The machines on the LAN use addresses in the range > > 192.168.10.xx. > > > > I 'borrowed' my firewall rules (I've tagged them onto the bottom of > > this email) from the very helpful site ... > > > > http://www.mostgraveconcern.com/freebsd/ > > > > ... but I find that machines within the LAN (W9x machines FWIW) > > cannot 'get out' if I retain the rules > > > > ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} > > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > > For a detailed description of your problem, please see > http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 > > For a fix, please see > http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall.diff?r1=1.35&r2=1.36 I ended up using a "draft-manning-dsua-01.txt nets" during the Win 2000 beta because that is what RRAS/nat required at the time and left it. At any rate, the draft-manning networks could also be using NATd. I ended up using the dual homed setup from http://www.mostgraveconcern.com/freebsd/ipfw.html because it worked and the examples in /etc/rc.firewall didn't. When you are starting out, you don't have a clue what is wrong. It just doesn't work. The write up in "The Complete FreeBSD" was a step back from the /etc example because it assigned 6668 to the divert instead of 8668 and that change made it even worse. I will try this and see what happens. It looks like a generic fix that would work after a cvsup. While I'm at it, I will probably straighten out my mess and use one of the "RFC1918 nets". It doesn't get any easy and they keep biting me. Kent -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ Bomber dropping fire retardant in front of Hanford Wild fire. http://kstewart.urx.com/kstewart/bomber.jpg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?398B1C8A.7C18B12D>