Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 03 May 2004 17:11:33 +0000
From:      "Andrea E." <andrea@ae4u.de>
To:        Supote Leelasupphakorn <pjn0211@yahoo.com>
Cc:        freebsd-ipfw@FreeBSD.org
Subject:   Re: ipfw with NAT and ARP
Message-ID:  <40967D45.3080708@ae4u.de>
In-Reply-To: <20040502051806.68324.qmail@web40602.mail.yahoo.com>
References:  <20040502051806.68324.qmail@web40602.mail.yahoo.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
hi,

i have installed and configured freebsd 5.2.1 new. now i can do ping and 
all other network commands.
at this moment I don't know, what the problem was.

thanks for all your help

Andrea


Supote Leelasupphakorn wrote:
> Hi Andrea E.
> 
>    From my understand if you'd like to ping from EXTERNAL ip
> to EXTERNAL ip, the firewall is not involve because it will
> reach each other directly. Could you confirm that you'd like 
> to "ping from EXTERNAL ip to EXTERNAL ip" so someone can find
> out the solution ?
> 
> Cheers,
> pjn
> 
>  --- Supote Leelasupphakorn <pjn0211@yahoo.com> wrote: > Hi,
> 
>>I am a newbie and my question is very easy perhaps. I work
>>with
>>FreeBSD
>>5.2.1
>>
>>I would like to configure a firewall with to interfaces (xl0 =
>>LAN, xl1
>>= External)
>>
>>For NAT I have configured like discribed in the manualpage of
>>natd:
>>
>>ipfw -f flush
>>ipfw add divert natd all from any to any via xl1
>>ipfw add allow all from any to any
>>
>>-> all is fine.
>>
>>But, I wont so a simple firewall and for this reason, first I
>>want to
>>configure the ICMP-protocol:
>>
>>ip_ext => External IP-Address
>>
>>ipfw -f flush
>>ipfw add divert natd all from any to any via xl1
>>ipfw add allow icmp from $ip_ext to any icmptypes 8 out via
>>xl1
>>ipfw add allow icmp from any to $ip_ext icmptypes 0  in via
>>xl1
>>
>>-> It's not ok. With "ethereal" no pakets are going out (test
>>from an
>>other system, connected with a HUP.)
>>
>>When testing "ping" from external to external IP-Adress of my
>>firewall,
>>the ARP-request: to broadcast Who has xxx.xxx.xxx.xxx? Tell
>>xxx.xxx.xxx.xxx fails
>>
>>-> seems to have a problem to let ARP through the firewall.
>>
>>Above -> "ipfw add allow all from any to any" let ARP through
>>the
>>firewall. So I think, thats the configuration of the rest of
>>my
>>computer
>>(like kernel, rc.conf, etc. ist ok)
>>
>>And there are no ARP-protocol in /etc/protocols, so I don't
>>know, what I
>>can do now.
>>
>>There is a bug:
>>After restarting system with above configuration of
>>icmp-protocol no
>>ping-request is going out. After a flush of all rules and
>>configuring of
>>"ipfw add allow all from any to any" ping-request get an
>>answer.
>>Very interesting is to flush all rules und to configure the
>>firewall
>>like the first configuring (to allow special rules for
>>icmp-protocol ->
>>all works very fine. ping-request get an answer. Whenn
>>restarting system
>>the ping-request get no answer again, I mean, the ping-request
>>is not
>>send out.
>>
>>Can anybody help me? Hope to get an answer.
>>
>>I hope you can understand me, my English isn't very well.
>>
>>Greatings from Berlin,
>>
>>	Andrea E.
>>
>>
>>
> 
> ________________________________________________________________________
> 
>>Yahoo! Messenger - Communicate instantly..."Ping" 
>>your friends today! Download Messenger Now 
>>http://uk.messenger.yahoo.com/download/index.html 
> 
> 
> ________________________________________________________________________
> Yahoo! Messenger - Communicate instantly..."Ping" 
> your friends today! Download Messenger Now 
> http://uk.messenger.yahoo.com/download/index.html
> 




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?40967D45.3080708>