Date: Sun, 16 Apr 2000 20:55:28 +0200 From: Anders Nordby <anders@fix.no> To: freebsd-ipfw@freebsd.org Cc: freebsd-security@freebsd.org Subject: Closing incoming access to private (and other) networks with ipfw (and running natd) Message-ID: <20000416205528.F20667@totem.fix.no>
next in thread | raw e-mail | index | archive | help
I'm not really sure where I should ask this question, since it's (at least to me) both natd and ipfw related. I'm building a firewall with three network cards (3Com xl ones), that routes both public and private networks to and from the Internet. Natd works -- NICs on the segment routed directly to the Internet sees traffic from NICs on private networks as if it came from the IP of the NIC on the firewall on the same segment. Now, my problem is not routing/forwarding on the firewall, nor network address translation. I need to prevent incoming access to private networks through the firewall (and be sure it really works :-)). I've tried configuring natd with deny_incoming, but I can still ping IPs on private networks through xl0 (which is the NIC on the Firewall routed directly to the Internet). Now, that might be due to me using an extra alias on xl0 and routing through it. But I need to be able to block access from one network to the other, and still be able to access the one network from the other (and receive response to tcp/udp/icmp back with the same protocol). I've tried accomplishing this with stuff like ipfw add n deny all from any to 172.n.n.n in via xl0 and by using the keep-state/check-state etc. stuff introduced in FreeBSD 4.0, with no luck. :/ Either all traffic is denied (and I don't get replies back on requests which goes the legal permitted way), or all traffic (including unwanted) goes through. Does anyone have a solution for this? Any help appreciated -- examples, ideas, whatever. Cheers. -- Anders. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000416205528.F20667>