From owner-freebsd-questions Fri Aug 4 12:42:18 2000 Delivered-To: freebsd-questions@freebsd.org Received: from 2711.dynacom.net (2711.dynacom.net [206.107.213.3]) by hub.freebsd.org (Postfix) with ESMTP id 239C437B6EC for ; Fri, 4 Aug 2000 12:42:16 -0700 (PDT) (envelope-from kstewart@urx.com) Received: from urx.com (dsl1-160.dynacom.net [206.159.132.160]) by 2711.dynacom.net (Build 101 8.9.3/NT-8.9.3) with ESMTP id MAA00563; Fri, 04 Aug 2000 12:42:02 -0700 Message-ID: <398B1C8A.7C18B12D@urx.com> Date: Fri, 04 Aug 2000 12:42:02 -0700 From: Kent Stewart Reply-To: kstewart@urx.com Organization: Dynacom X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Ruslan Ermilov Cc: rshea@opendoor.co.nz, freebsd-questions@FreeBSD.ORG Subject: Re: NATD/"spoofing" and IPFW References: <200008040857.e748va105786@deborah.paradise.net.nz> <20000804171753.A522@sunbay.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ruslan Ermilov wrote: > > On Fri, Aug 04, 2000 at 08:47:34PM +1200, rshea@opendoor.co.nz wrote: > > Hi - I'm new to FreeBSD and trying to make my FreeBSD machine > > act as a gateway/firewall to the office LAN. The connection to the > > i'net is via a cable modem with a fixed IP address. I am using > > IPFW as the firewall and in rc.conf I have set firewall_type to > > "simple". The machines on the LAN use addresses in the range > > 192.168.10.xx. > > > > I 'borrowed' my firewall rules (I've tagged them onto the bottom of > > this email) from the very helpful site ... > > > > http://www.mostgraveconcern.com/freebsd/ > > > > ... but I find that machines within the LAN (W9x machines FWIW) > > cannot 'get out' if I retain the rules > > > > ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} > > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > > For a detailed description of your problem, please see > http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 > > For a fix, please see > http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall.diff?r1=1.35&r2=1.36 I ended up using a "draft-manning-dsua-01.txt nets" during the Win 2000 beta because that is what RRAS/nat required at the time and left it. At any rate, the draft-manning networks could also be using NATd. I ended up using the dual homed setup from http://www.mostgraveconcern.com/freebsd/ipfw.html because it worked and the examples in /etc/rc.firewall didn't. When you are starting out, you don't have a clue what is wrong. It just doesn't work. The write up in "The Complete FreeBSD" was a step back from the /etc example because it assigned 6668 to the divert instead of 8668 and that change made it even worse. I will try this and see what happens. It looks like a generic fix that would work after a cvsup. While I'm at it, I will probably straighten out my mess and use one of the "RFC1918 nets". It doesn't get any easy and they keep biting me. Kent -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ Bomber dropping fire retardant in front of Hanford Wild fire. http://kstewart.urx.com/kstewart/bomber.jpg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message