From owner-freebsd-ipfw@FreeBSD.ORG Tue May 8 18:23:36 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A161D16A400 for ; Tue, 8 May 2007 18:23:36 +0000 (UTC) (envelope-from gbell72@rogers.com) Received: from web88002.mail.re2.yahoo.com (web88002.mail.re2.yahoo.com [206.190.37.189]) by mx1.freebsd.org (Postfix) with SMTP id 5698C13C448 for ; Tue, 8 May 2007 18:23:36 +0000 (UTC) (envelope-from gbell72@rogers.com) Received: (qmail 5170 invoked by uid 60001); 8 May 2007 18:23:35 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rogers.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=mqsidXe0XOFXPbvgCYbuUorLBjtjk0VMAumiVN6wK1piXUK1kCUGQZYcLn0SUI72+qAAwN5YxBwhWTeEtY6RQTizj5B6GLNXKJbCQEdpK3LcEZO2TxhN3QIN9ob3+3dot7QaiBbPeccj9zRZJU+dVSv8rVscqNgttq+5e3tOySo=; X-YMail-OSG: h6V3KOQVM1l98j69LDwwKNDKmqLTwhwVMGBbpMmw098l7lPr7uVTN4JTOKh6wXoRdQ-- Received: from [74.100.62.56] by web88002.mail.re2.yahoo.com via HTTP; Tue, 08 May 2007 14:23:34 EDT Date: Tue, 8 May 2007 14:23:34 -0400 (EDT) From: Gardner Bell To: iaccounts@ibctech.ca In-Reply-To: <200705081221.46248.lists@jnielsen.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <458115.4028.qm@web88002.mail.re2.yahoo.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW and NATD problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 18:23:36 -0000 --- Steve Bertrand wrote: Gardner Bell wrote: > Hi all, > > I've been following the IPFW section in the handbook and /etc/rc.firewall to try and setup a gateway for my home LAN but I'm having a bit of trouble getting access to the internet. My network setup looks like so. > > 192.168.x.x bge1 - 192.168.x.x bge0 x.x.x.x > --LAN------------Switch---------FreeBSD-------------------------------ISP > > Bge0 successfully receives an IP from my ISP's DHCP server and I can ping the LAN without any issues. When it comes to accessing the internet I get a hostname lookup failure. > > Any help resolving this is greatly appreciated. > > > Gardner > > mx1# ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from 192.168.1.0/24 to any in via bge0 > 00500 deny log logamount 3 ip from x.x.x.x/25 to any in via bge1 > 00600 deny ip from any to 10.0.0.0/8 via bge0 > 00700 deny ip from any to 172.16.0.0/12 via bge0 > 00800 deny ip from any to 192.168.0.0/16 via bge0 > 00900 deny ip from any to 0.0.0.0/8 via bge0 > 01000 deny ip from any to 169.254.0.0/16 via bge0 > 01100 deny ip from any to 192.0.2.0/24 via bge0 > 01200 deny ip from any to 224.0.0.0/4 via bge0 > 01300 deny ip from any to 240.0.0.0/4 via bge0 > > 01400 divert 8668 ip from any to any in via bge0 > > What happens if you switch the above line to bge1, as opposed to bge0? I am able to ping the internet if I change my divert rule to bge1 but lose any connectivity to the LAN. I can only ping 192.168.1.1 ie: bge1 > I haven't used natd in a couple years, but from what I can tell, you are > trying to divert packets that are inbound from the Internet, as opposed > to diverting packets from the LAN. Ok..I was pretty sure that natd_interface had to be set to the nic facing the internet as the manual and /etc/defaults/rc.conf mention. > > What does /etc/natd.conf state? Don't have an /etc/natd.conf as of yet but I'm using -deny_incoming in natd_flags. The natd command shows: /sbin/natd -deny_incoming -dynamic -n bge0 > If the above does not work, perhaps you could start with a minimalistic > ruleset, having only allow rules, and then a blanket rule to deny at the > bottom? I'll give that a try. > Steve Gardner ps: I'm not subscribed to the list..hope I didn't munge the quotes up too bad.