Date: Thu, 17 Aug 2000 22:59:23 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: "SILVER, MICHAEL A" <MSILVER@scana.com> Cc: "'freebsd-questions@FreeBSD.org'" <freebsd-questions@FreeBSD.ORG> Subject: Re: Problem with FreeBSD behind a firewall Message-ID: <20000817225922.G28027@149.211.6.64.reflexcom.com> In-Reply-To: <DBB3921EFE2AD211A81500A0C9B5FE760579457F@msg04.scana.com>; from MSILVER@scana.com on Thu, Aug 17, 2000 at 12:04:52PM -0400 References: <DBB3921EFE2AD211A81500A0C9B5FE760579457F@msg04.scana.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 17, 2000 at 12:04:52PM -0400, SILVER, MICHAEL A wrote: > I have a situation where my FBSD machine sits behind a hardware firewall and > is inaccessible from the outside world. The problem is, it needs to be > accessible. The HW firewall is setup to pass all traffic to a specific > internet IP to the FBSD firewall, but this appears not to be happening, OR > the FBSD machine is not responding properly. I need to find out which is > the problem and correct it. (I don't have access to the HW firewall) Sniff (tcpdump) the external interface of the FreeBSD machine, 10.0.0.20. Try to connect to it from the Internet. Watch the tcpdump output and see if the packets are coming in. > FYI: The FBSD machine also acts as a firewall for a small subnet. So there > are actually two firewalls (see diagram below). Currently everyone on the > internal net can access the internet successfully. I am using ifpw and natd > for this. Only incoming traffic is failing. > > Internet FBSD Firewall > o---(public addresses)----o----(10.0.20)-----o----(172.16.1)-----o > HW Firewall Internal Net > > My question is this, do I need to assign the valid internet address from the > HW firewall to the FBSD box so that it can respond to outside requests > properly? It's not really up to the FreeBSD box. The "hardware firewall" has to do all of the work of redirecting addresses if it is doing NAT and not routing. > Currently it is dual homed, but with private addresses. I tried > using an IP alias, and this made NATD bomb. Will logging show if traffic is > actually being passed through the hardware firewall to the FBSD machine? Like I said, try a tcpdump on the outer interface. > I would include config files, but I don't currently have access to the > machine. If this is where the problem may lie, I will get access. People > on the internal net AND on the 10.0.20 net can access the FBSD machine, just > not people from the internet. Sounds like it is the configuration of the "hardware firewall." -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000817225922.G28027>