Date: Sun, 12 Mar 2006 09:27:05 -0500 From: Chuck Swiger <cswiger@mac.com> To: Dave Johnson <davej@wsnet.co.za> Cc: freebsd-net@freebsd.org Subject: Re: IPFW problem Message-ID: <44142FB9.40009@mac.com> In-Reply-To: <002b01c645dd$cc6a3800$5b00a8c0@laptop> References: <002b01c645dd$cc6a3800$5b00a8c0@laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
Dave Johnson wrote: > Hi all > > I am having a problem with ipfw. > > Please have a look at www.pastebin.com/597707 > > I could not ping anything so I hashed out line 62 & 70 > > Now I can ping 192.168.0.2 but not 192.168.0.1. > > Also browsing and email is not working. Um. Your IPFW rules don't seem to make a whole lot of sense [1], but I would imagine the specific problem is: 53 $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif ...try adding the log keyword to each deny line and you will get more useful information from the packet filter rules. -- -Chuck [1]: Please re-examine the sample rulesets in /etc/rc.firewall, and be aware that you need to adjust your anti-spoofing rules if you actually use RFC-1918 unroutable subnets, which you seem to be doing. The fact that your "external interface" is pointing to a 192.168.0.1 default router means that some other device is already doing NAT, so you should possibly re-evaluate doing NAT on the FreeBSD system as well. Chaining multiple levels of NAT translation together is generally painful without even considering the difficulty of setting up sane firewall rules to describe the topology.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44142FB9.40009>