Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 5 Jul 2001 21:36:42 -0700
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        Robert Banniza <robert@rootprompt.net>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Still can't get it to work...
Message-ID:  <20010705213642.B308@blossom.cjclark.org>
In-Reply-To: <GMEDKMKMEBENJMBLDHAIGEFJEAAA.robert@rootprompt.net>; from robert@rootprompt.net on Thu, Jul 05, 2001 at 09:55:38PM -0700
References:  <2059229442.994196674@[192.168.2.94]> <GMEDKMKMEBENJMBLDHAIGEFJEAAA.robert@rootprompt.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 05, 2001 at 09:55:38PM -0700, Robert Banniza wrote:
> I cannot for the absolute life of me get IPFW to work with three NICS. All I
> want to do is to:
> 
> 1) Pass all traffic from internal network (192.168.1.0/24) to go out to 'net
> or to the DMZ.
> 2) Allow 22,25,53(udp),80,443 traffic in to the DMZ. DMZ is using real IP
> addresses (208.53.161.252/30)
> 3) Allow no traffic from DMZ to flow back into internal network.
> 3) Block external interface from RFC1918 spoofed addresses
> 
> My network is broken up into the following segments:
> 
> xl0 - external interface (208.53.161.248/30)
> fxp0 - internal interface (192.168.1.0/24)
> fxp1 - optional interface (208.53.161.252/30)
> 
> I'm using default deny which I feel is safest and compensates for human
> error more so than default allow.

If you can't get it to _work,_ first thing to do is,

  00100 divert natd ip from any to any via xl0
  00200 pass ip from any to any

And make sure that works. If you can't get it to run at all, I'd
suspect a routing or interface problem before ipfw(8). ipfw(8) really
doesn't care how many NICs you are using.

Once you verify it works, remove the 'pass ip any to any' and start
placing more and more restrictive rules.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010705213642.B308>