Date: Tue, 5 Nov 2002 15:38:49 -0800 (PST) From: Terrac Skiens <terrac@cloudfactory.org> To: David Cramblett <dcramble@mesd.k12.or.us> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW, natd, redirect_address help needed Message-ID: <Pine.LNX.4.44.0211051537290.6755-100000@cumulonimbus.cloudfactory.org> In-Reply-To: <3DC85565.2060900@mesd.k12.or.us>
next in thread | previous in thread | raw e-mail | index | archive | help
since this is a super small distribution I do not have the default open, closed, and client firewall configs. The set I am using is based on the client one though, however I adjusted it to allow traffic from the inside to the outside on specific ports and hopefully keep-state to let the returning packets back in. Thats right isn't it? -terrac On Tue, 5 Nov 2002, David Cramblett wrote: > Do you have gateway_enable="YES" in your firewall? > > Can you get packets through both directions just fine with the firewall > set to "OPEN"? > > David > > > Terrac Skiens wrote: > > >Hi there, > > > > I have been trying to set up an embedded system from soekris, running a > >small version of freebsd on it's internal compact flash hard disk. > > > > The machine is built, I have remote access to it and I intend to use it > >as a firewall + nat appliance. Directing traffic from machines internally > >to external IP addresses. > > > > I have gotten everything running, however my test for the machines > >behind the new firewall keep failing. I can ping the firewall itself, but > >not anything past it. The pings just dissapear. From the firewall I can > >ping anythign by either hostname or IP. > > > > What I have not figured out is why my machines behind the firewall cannot > >ping out past the firewall, or get any other traffic out either. > > > >my ipfw list is: > >--------------------------------------- > >00100 allow ip from any to any via lo0 > >00200 deny ip from any to 127.0.0.0/8 > >00300 deny ip from 127.0.0.0/8 to any > >00400 deny ip from any to 172.16.0.0/12 via sis0 > >00500 deny ip from any to 192.168.0.0/16 via sis0 > >00600 deny ip from any to 0.0.0.0/8 via sis0 > >00700 deny ip from any to 169.254.0.0/16 via sis0 > >00800 deny ip from any to 192.0.2.0/24 via sis0 > >00900 deny ip from any to 224.0.0.0/4 via sis0 > >01000 deny ip from any to 240.0.0.0/4 via sis0 > >01100 divert 8668 ip from any to any via sis0 > >01200 deny ip from 172.16.0.0/12 to any via sis0 > >01300 deny ip from 192.168.0.0/16 to any via sis0 > >01400 deny ip from 0.0.0.0/8 to any via sis0 > >01500 deny ip from 169.254.0.0/16 to any via sis0 > >01600 deny ip from 192.0.2.0/24 to any via sis0 > >01700 deny ip from 224.0.0.0/4 to any via sis0 > >01800 deny ip from 240.0.0.0/4 to any via sis0 > >01900 allow tcp from any to any established > >02000 allow ip from any to any frag > >10000 deny log logamount 100 tcp from any to any in recv sis0 setup > >10100 allow tcp from any to any setup > >10200 allow udp from any to any 53 keep-state out xmit sis0 > >10300 allow udp from any to any 53 keep-state in recv sis0 > >10400 allow udp from any to any 123 keep-state out xmit sis0 > >10500 allow udp from any to any 123 keep-state in recv sis1 > >10600 allow tcp from any to any 53 keep-state out xmit sis0 > >10700 allow tcp from any to any 53 keep-state in recv sis1 > >10800 allow tcp from any to any 25 keep-state out xmit sis0 > >10900 allow tcp from any to any 25 keep-state in recv sis1 > >11000 allow tcp from any to any 22 keep-state out xmit sis0 > >11100 allow tcp from any to any 22 keep-state in recv sis1 > >11200 allow udp from me to any 67 keep-state out xmit sis0 > >11300 allow icmp from any to any > >65535 deny ip from any to any > > > >and my netstat -rn is: > >--------------------------------------- > >Routing table: > >-------------- > >Destination Gateway Flags Netif Use > >default 66.180.229.177 UGSc sis0 2 > >10.1.1.0/24 link#2 UC sis1 0 > >xxx.xxx.xxx.xxx link#1 UC sis0 0 <- network > >xxx.xxx.xxx.xxx link#1 UHLW sis0 0 <- gateway > >127.0.0.1 127.0.0.1 UH lo0 0 > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > -- > David Cramblett > Network and Information Services > Multnomah Education Service District > phn: 503-257-1535 > fax: 503-257-1538 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.44.0211051537290.6755-100000>