From owner-freebsd-questions Mon Jan 27 19:55:50 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6489A37B401 for ; Mon, 27 Jan 2003 19:55:46 -0800 (PST) Received: from nyogtha.unknownkadath.net (nyogtha.unknownkadath.net [209.153.153.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2335243F75 for ; Mon, 27 Jan 2003 19:55:45 -0800 (PST) (envelope-from asenchi@asenchi.com) Received: from quai (12-245-211-155.client.attbi.com [12.245.211.155]) by nyogtha.unknownkadath.net (8.12.6/8.12.6) with SMTP id h0S49VFF070512 for ; Mon, 27 Jan 2003 23:09:32 -0500 (EST) From: "Asenchi" To: "freebsd-questions@FreeBSD. ORG" Subject: RE: Firewall + DHCP (STILL) Date: Mon, 27 Jan 2003 22:55:09 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I emailed and receive some help this past weekend. Thank you all for responding, however none of the suggestions were able to cure my problem. Here is the issue: I am setting up a firewall, IPFW + NATD that will act as a gateway. I have two NIC's that are configured. The OIF will be connected to a cable modem that assigns connections by DHCP. I am not able to keep a connection with my OIF concerning this. It did work once. However when I removed the 'all any to any' rule in rc.firewall it dropped. Never to connect again. Some of the suggestions so far have been: "commenting out the ifconfig_vr0='DHCP'" DONE "This suggest that your dhclient can not bind to the port it needs. You may want to check what is bound to that port. See 'lsof' and 'netstat'." DONE I have tried both of these. Here is a schematic of the ideal situation: NET --> Cable Modem >> Firewall (IPFW + NAT, Gateway) > Internal NET. Can someone please help me? I really appreciate the help so far. Thanks, Curt Micol PS: Below is a bunch of info on my setup, let me know if you want more. Oh and I know that there is no ip assigned to vr0, this is bsd, not me. I have tried to assign one and have also set 'ifconfig_vr0="DHCP"' in rc.conf. #uname -a FreeBSD world.attbi.com 4.7-STABLE FreeBSD 4.7-STABLE #6: Fri Jan 24 22:05:56 EST 2003 asenchi@world:/usr/obj/usr/src/sys/ASENCHI i386 #vi /etc/rc.firewall #FIREWALL RULES fwcmd="/sbin/ipfw" oif="vr0" onet="`ifconfig vr0 | grep "inet " | awk '{print $6}'`" omask="`ifconfig vr0 | grep "inet " | awk '{print $4}'`" oip="`ifconfig vr0 | grep "inet " | awk '{print $2}'`" iif="rl0" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.1" ${fwcmd} -f flush ${fwcmd} add 0050 divert natd all from any to any via ${oif} ${fwcmd} add 0200 allow all from any to any ${fwcmd} add 0500 allow all from ${iip} to ${inet}:${imask} ${fwcmd} add 0501 allow all from ${inet}:${imask} to ${iip} ${fwcmd} add 0502 allow tcp from any to any established ${fwcmd} add 0503 deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add 0504 deny all from ${onet}:${omask} to any in via ${iif} ${fwcmd} add 0505 pass all from any to any frag ${fwcmd} add 0506 pass tcp from any to ${oip} 53 setup ${fwcmd} add 0507 pass udp from any 53 to ${oip} ${fwcmd} add 0508 pass udp from ${oip} 53 to any ${fwcmd} add 0509 pass udp from ${oip} to any 53 keep-state ${fwcmd} add 0510 allow tcp from any to any 22 setup ${fwcmd} add 0511 allow tcp from any 22 to any setup ${fwcmd} add 0550 allow udp from any to any 68 out via ${oif} ${fwcmd} add 0551 allow udp from any 68 to any out via ${oif} ${fwcmd} add 0552 allow udp from any 67 to any in via ${oif} #ps -acux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 225 0.0 0.1 420 216 v1 R+ 10:30PM 0:00.00 ps root 1 0.0 0.1 552 316 ?? ILs 5:28PM 0:00.01 init root 2 0.0 0.0 0 0 ?? DL 5:28PM 0:00.00 pagedaemon root 3 0.0 0.0 0 0 ?? DL 5:28PM 0:00.00 vmdaemon root 4 0.0 0.0 0 0 ?? DL 5:28PM 0:00.00 bufdaemon root 5 0.0 0.0 0 0 ?? DL 5:28PM 0:00.00 vnlru root 6 0.0 0.0 0 0 ?? DL 5:28PM 0:00.01 syncer root 25 0.0 0.0 212 96 ?? Is 5:28PM 0:00.00 adjkerntz root 66 0.0 0.3 944 728 ?? Is 10:28PM 0:00.00 dhclient root 114 0.0 0.1 432 288 ?? Is 10:28PM 0:00.00 natd root 137 0.0 0.3 972 656 ?? Ss 10:28PM 0:00.08 syslogd root 145 0.0 0.3 1056 696 ?? Is 10:28PM 0:00.00 inetd root 147 0.0 0.3 1024 764 ?? Is 10:28PM 0:00.00 cron root 149 0.0 0.7 2324 1744 ?? Is 10:28PM 0:00.00 sshd qmaild 173 0.0 0.2 896 392 con- I 10:28PM 0:00.00 tcpserver root 174 0.0 0.2 896 392 con- I 10:28PM 0:00.00 tcpserver qmails 175 0.0 0.2 940 500 con- I 10:28PM 0:00.03 qmail-send qmaill 180 0.0 0.2 896 504 con- I 10:28PM 0:00.00 splogger root 181 0.0 0.2 896 476 con- I 10:28PM 0:00.00 qmail-lspawn qmailr 182 0.0 0.2 896 412 con- I 10:28PM 0:00.00 qmail-rspawn qmailq 183 0.0 0.2 884 440 con- I 10:28PM 0:00.00 qmail-clean root 184 0.0 0.3 952 644 v0 Is+ 10:28PM 0:00.00 getty root 185 0.0 0.4 1268 948 v1 Is 10:28PM 0:00.03 login root 186 0.0 0.3 952 644 v2 Is+ 10:28PM 0:00.00 getty root 187 0.0 0.3 952 644 v3 Is+ 10:28PM 0:00.00 getty root 188 0.0 0.3 952 644 v4 Is+ 10:28PM 0:00.00 getty root 189 0.0 0.3 952 644 v5 Is+ 10:28PM 0:00.00 getty root 190 0.0 0.3 952 644 v6 Is+ 10:28PM 0:00.00 getty root 191 0.0 0.3 952 644 v7 Is+ 10:28PM 0:00.00 getty asenchi 198 0.0 0.2 636 440 v1 I 10:28PM 0:00.01 sh root 209 0.0 0.4 1484 1084 v1 S 10:29PM 0:00.08 csh root 0 0.0 0.0 0 0 ?? DLs 5:28PM 0:00.00 swapper #vi /var/db/dhclient.leases lease { interface "xl0"; fixed-address 12.245.246.22; option subnet-mask 255.255.255.0; option dhcp-lease-time 3600; option routers 12.245.246.1; option dhcp-message-type 5; option dhcp-server-identifier 12.242.20.34; option domain-name-servers 63.240.76.4,204.127.198.4; option broadcast-address 255.255.255.255; option host-name "x1-6-00-04-76-c5-f4-a2"; option domain-name "attbi.com"; renew 2 2003/1/28 03:29:22; rebind 2 2003/1/28 03:58:51; expire 2 2003/1/28 04:06:21; } lease { interface "vr0"; fixed-address 12.245.228.183; option subnet-mask 255.255.255.128; option dhcp-lease-time 345600; option routers 12.245.228.129; option dhcp-message-type 5; option dhcp-server-identifier 12.242.20.34; option domain-name-servers 63.240.76.4,204.127.198.4; option broadcast-address 255.255.255.255; option domain-name "attbi.com"; renew 4 2003/1/30 01:09:35; rebind 5 2003/1/31 15:28:11; expire 6 2003/2/1 03:28:11; } #ifconfig -a vr0: flags=8843 mtu 1500 inet6 fe80::240:33ff:fe5a:748a%vr0 prefixlen 64 scopeid 0x1 inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255 ether 00:40:33:5a:74:8a media: Ethernet autoselect (100baseTX ) status: active xl0: flags=8802 mtu 1500 options=3 ether 00:04:76:c5:f4:a2 media: Ethernet autoselect (none) status: no carrier rl0: flags=8843 mtu 1500 inet6 fe80::250:bfff:fe90:6d98%rl0 prefixlen 64 scopeid 0x3 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:50:bf:90:6d:98 media: Ethernet autoselect (100baseTX) status: active faith0: flags=8002 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff000000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message