Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Jan 2003 22:55:09 -0500
From:      "Asenchi" <asenchi@asenchi.com>
To:        "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG>
Subject:   RE: Firewall + DHCP (STILL)
Message-ID:  <NHBBIMEIGLCBNPAEPGDPCEIPCJAA.asenchi@asenchi.com>
next in thread | raw e-mail | index | archive | help 
Hello,

I emailed and receive some help this past weekend.  Thank you all for
responding, however none of the suggestions were able to cure my problem.

Here is the issue:
I am setting up a firewall, IPFW + NATD that will act as a gateway.  I have
two NIC's that are configured.  The OIF will be connected to a cable modem
that assigns connections by DHCP.  I am not able to keep a connection with
my OIF concerning this.

It did work once.  However when I removed the 'all any to any' rule in
rc.firewall it dropped.  Never to connect again.

Some of the suggestions so far have been:
"commenting out the ifconfig_vr0='DHCP'" DONE
"This suggest that your dhclient can not bind to the port it needs. You may
want to check what is bound to that port. See 'lsof' and 'netstat'." DONE

I have tried both of these.  Here is a schematic of the ideal situation:

NET --> Cable Modem >> Firewall (IPFW + NAT, Gateway) > Internal NET.

Can someone please help me?  I really appreciate the help so far.

Thanks,

Curt Micol

PS: Below is a bunch of info on my setup, let me know if you want more. Oh
and I know that there is no ip assigned to vr0, this is bsd, not me. I have
tried to assign one and have also set 'ifconfig_vr0="DHCP"' in rc.conf.

#uname -a
FreeBSD world.attbi.com 4.7-STABLE FreeBSD 4.7-STABLE #6: Fri Jan 24
22:05:56 EST 2003     asenchi@world:/usr/obj/usr/src/sys/ASENCHI  i386

#vi /etc/rc.firewall
#FIREWALL RULES

fwcmd="/sbin/ipfw"

oif="vr0"
onet="`ifconfig vr0 | grep "inet " | awk '{print $6}'`"
omask="`ifconfig vr0 | grep "inet " | awk '{print $4}'`"
oip="`ifconfig vr0 | grep "inet " | awk '{print $2}'`"

iif="rl0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"

${fwcmd} -f flush

${fwcmd} add 0050 divert natd all from any to any via ${oif}

${fwcmd} add 0200 allow all from any to any
${fwcmd} add 0500 allow all from ${iip} to ${inet}:${imask}
${fwcmd} add 0501 allow all from ${inet}:${imask} to ${iip}
${fwcmd} add 0502 allow tcp from any to any established
${fwcmd} add 0503 deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add 0504 deny all from ${onet}:${omask} to any in via ${iif}
${fwcmd} add 0505 pass all from any to any frag
${fwcmd} add 0506 pass tcp from any to ${oip} 53 setup
${fwcmd} add 0507 pass udp from any 53 to ${oip}
${fwcmd} add 0508 pass udp from ${oip} 53 to any
${fwcmd} add 0509 pass udp from ${oip} to any 53 keep-state
${fwcmd} add 0510 allow tcp from any to any 22 setup
${fwcmd} add 0511 allow tcp from any 22 to any setup
${fwcmd} add 0550 allow udp from any to any 68 out via ${oif}
${fwcmd} add 0551 allow udp from any 68 to any out via ${oif}
${fwcmd} add 0552 allow udp from any 67 to any in via ${oif}

#ps -acux
USER      PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
root      225  0.0  0.1   420  216  v1  R+   10:30PM   0:00.00 ps
root        1  0.0  0.1   552  316  ??  ILs   5:28PM   0:00.01 init
root        2  0.0  0.0     0    0  ??  DL    5:28PM   0:00.00 pagedaemon
root        3  0.0  0.0     0    0  ??  DL    5:28PM   0:00.00 vmdaemon
root        4  0.0  0.0     0    0  ??  DL    5:28PM   0:00.00 bufdaemon
root        5  0.0  0.0     0    0  ??  DL    5:28PM   0:00.00 vnlru
root        6  0.0  0.0     0    0  ??  DL    5:28PM   0:00.01 syncer
root       25  0.0  0.0   212   96  ??  Is    5:28PM   0:00.00 adjkerntz
root       66  0.0  0.3   944  728  ??  Is   10:28PM   0:00.00 dhclient
root      114  0.0  0.1   432  288  ??  Is   10:28PM   0:00.00 natd
root      137  0.0  0.3   972  656  ??  Ss   10:28PM   0:00.08 syslogd
root      145  0.0  0.3  1056  696  ??  Is   10:28PM   0:00.00 inetd
root      147  0.0  0.3  1024  764  ??  Is   10:28PM   0:00.00 cron
root      149  0.0  0.7  2324 1744  ??  Is   10:28PM   0:00.00 sshd
qmaild    173  0.0  0.2   896  392 con- I    10:28PM   0:00.00 tcpserver
root      174  0.0  0.2   896  392 con- I    10:28PM   0:00.00 tcpserver
qmails    175  0.0  0.2   940  500 con- I    10:28PM   0:00.03 qmail-send
qmaill    180  0.0  0.2   896  504 con- I    10:28PM   0:00.00 splogger
root      181  0.0  0.2   896  476 con- I    10:28PM   0:00.00 qmail-lspawn
qmailr    182  0.0  0.2   896  412 con- I    10:28PM   0:00.00 qmail-rspawn
qmailq    183  0.0  0.2   884  440 con- I    10:28PM   0:00.00 qmail-clean
root      184  0.0  0.3   952  644  v0  Is+  10:28PM   0:00.00 getty
root      185  0.0  0.4  1268  948  v1  Is   10:28PM   0:00.03 login
root      186  0.0  0.3   952  644  v2  Is+  10:28PM   0:00.00 getty
root      187  0.0  0.3   952  644  v3  Is+  10:28PM   0:00.00 getty
root      188  0.0  0.3   952  644  v4  Is+  10:28PM   0:00.00 getty
root      189  0.0  0.3   952  644  v5  Is+  10:28PM   0:00.00 getty
root      190  0.0  0.3   952  644  v6  Is+  10:28PM   0:00.00 getty
root      191  0.0  0.3   952  644  v7  Is+  10:28PM   0:00.00 getty
asenchi   198  0.0  0.2   636  440  v1  I    10:28PM   0:00.01 sh
root      209  0.0  0.4  1484 1084  v1  S    10:29PM   0:00.08 csh
root        0  0.0  0.0     0    0  ??  DLs   5:28PM   0:00.00 swapper

#vi /var/db/dhclient.leases
lease {
  interface "xl0";
  fixed-address 12.245.246.22;
  option subnet-mask 255.255.255.0;
  option dhcp-lease-time 3600;
  option routers 12.245.246.1;
  option dhcp-message-type 5;
  option dhcp-server-identifier 12.242.20.34;
  option domain-name-servers 63.240.76.4,204.127.198.4;
  option broadcast-address 255.255.255.255;
  option host-name "x1-6-00-04-76-c5-f4-a2";
  option domain-name "attbi.com";
  renew 2 2003/1/28 03:29:22;
  rebind 2 2003/1/28 03:58:51;
  expire 2 2003/1/28 04:06:21;
}
lease {
  interface "vr0";
  fixed-address 12.245.228.183;
  option subnet-mask 255.255.255.128;
  option dhcp-lease-time 345600;
  option routers 12.245.228.129;
  option dhcp-message-type 5;
  option dhcp-server-identifier 12.242.20.34;
  option domain-name-servers 63.240.76.4,204.127.198.4;
  option broadcast-address 255.255.255.255;
  option domain-name "attbi.com";
  renew 4 2003/1/30 01:09:35;
  rebind 5 2003/1/31 15:28:11;
  expire 6 2003/2/1 03:28:11;
}

#ifconfig -a
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::240:33ff:fe5a:748a%vr0 prefixlen 64 scopeid 0x1
	inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
	ether 00:40:33:5a:74:8a
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
xl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	options=3<rxcsum,txcsum>
	ether 00:04:76:c5:f4:a2
	media: Ethernet autoselect (none)
	status: no carrier
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::250:bfff:fe90:6d98%rl0 prefixlen 64 scopeid 0x3
	inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
	ether 00:50:bf:90:6d:98
	media: Ethernet autoselect (100baseTX)
	status: active
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
	inet 127.0.0.1 netmask 0xff000000


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NHBBIMEIGLCBNPAEPGDPCEIPCJAA.asenchi>