Date: Tue, 10 Apr 2001 11:42:49 -0400 From: "Elliott Perrin" <eperrin@bigorbit.com> To: "Roger Svenning" <ros@switch.no>, "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG> Subject: Re: routed, natd & ipfirewall [config help needed] Message-ID: <016a01c0c1d4$e69b0340$8701a8c0@bottleneck2000> References: <E13BBFD5DA06D411ADC600508BC25BF714426B@switch01.switch.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Okay so the problem is not with routing to your office from the ISP. So we should take a
look at the ipfw ruleset and how you have enabled natd. Now if you are running the
firewall with allow all from any to any it should be passing packets no problem.
Check your existing routing tables by running netstat -rn and make sure all the routes you
need are there, check how routed is running. I have found that even on a gateway running
routed -q is fine (it's how I run it on my three-interfaced firewall now)
Kill off your natd process (kill -9 `head -1 /var/run/natd.pid ` ) and restart it with
natd -n xl2 -u
Flush out the firewall completely using ipfw -f command and then add the following.
ipfw add divert natd all from any to any via xl2
ipfw add allow all from any to any
This will be wide open, but you'll quickly see if your firewall is passing packets.
If you'd like, send me your existing firewall rules and I'll have a look to see if there
is a problem there.
Cheers,
Elliott
----- Original Message -----
From: "Roger Svenning" <ros@switch.no>
To: "'Elliott Perrin'" <eperrin@bigorbit.com>; "'freebsd-questions@freebsd.org'"
<freebsd-questions@FreeBSD.ORG>
Sent: Tuesday, April 10, 2001 10:49 AM
Subject: SV: routed, natd & ipfirewall [config help needed]
> Hi
>
> I know that 217.8.130.32/27 is routed properly because it worked when I used
> it behind natd with redirect_address
> And the fact that i get "From c12969.catch.sdsl.no (217.8.129.69):
> Destination Host Unreachable" when trying to reach a live DMZ address tells
> us that the ISP is forwarding the request to our router.
>
> I'm no expert in setting up ipfw and I would need some advice on how to
> restrict access to the local network trough the dmz zone, else an intruder
> which gains access to one of the dmz machine would easily go from there to
> our local network.
>
> Running routed, natd and ipfw is a bit confusing as I do not know in which
> order the different daemons are handling the packets.
>
> Just for testing purposes i have "allow ip from any to any" in ipfw which
> should enable packets to go from xl2 to xl1 ?
>
> -Roger
>
> > -----Opprinnelig melding-----
> > Fra: Elliott Perrin [mailto:eperrin@bigorbit.com]
> > Sendt: 10. april 2001 16:55
> > Til: Roger Svenning; 'freebsd-questions@freebsd.org'
> > Emne: Re: routed, natd & ipfirewall [config help needed]
> >
> >
> > You have to make sure that your ISP is routing your subnet to
> > your host (possible problem,
> > first place to look)
> >
> > If the ISP is not routing the 217.8.130.32/27 subnet that you
> > are assigned to your
> > 217.8.129.69 interface sitting on their network then the
> > problem is there. (I actually had
> > this problem with our last ISP, they kept removing the routes
> > from a router and had a
> > Junior Admin that didn't understand why they had to be there)
> >
> > If they are doing that already then you probably have a
> > problem with the rules in IPFW and
> > NATD
> >
> > Make sure that you run NATD with the -u option, which will
> > translate addresses only for
> > unregistered (RFC1918) addresses and that NATD is running on
> > the external interface (in
> > your layout the 217.8.129.69 interface)
> >
> > Check through your IPFW rules to make sure you are allowing
> > your DMZ out to the world,
> >
> > eg.
> >
> > allow all from {DMZ} to any
> >
> > (don't use that rule!!!!!, it is just an example)
> >
> > Aside from that I have a modified rc.firewall that I used
> > when I was still running IPFW on
> > a three interfaced machine with LAN, DMZ and link to our ISP.
> > Let me know if you want it.
> >
> >
> >
> > ----- Original Message -----
> > From: "Roger Svenning" <ros@switch.no>
> > To: "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG>
> > Sent: Tuesday, April 10, 2001 10:15 AM
> > Subject: routed, natd & ipfirewall [config help needed]
> >
> >
> > > Hi
> > >
> > > I've been running a box with natd & ipfw for connecting our
> > local network to
> > > the internet and it works just fine.
> > >
> > > Now I want to set up a DMZ zone for servers that should be connected
> > > directly to the net without NAT
> > > I've added a third network card and enabled routed, but ..
> > taadaa .. it
> > > doesn't work quite as expected :-)
> > >
> > > The DMZ zone can be reached from the gateway itself and the internal
> > > network, but not from the internet.
> > > The routing from xl2 to xl0 trough natd works just fine.
> > >
> > > Can any1 give me some advice on how to set this configuration up ?
> > >
> > > Here's the network layout:
> > >
> > > 217.8.129.70 (ISP gateway)
> > > |
> > > -> 217.8.129.69 (xl2 interface)(255.255.255.252)
> > > |
> > > -> 217.8.130.62 (xl1 interface)(255.255.255.224) -> DMZ zone
> > > |
> > > -> 10.0.1.1 (xl0 interface)(255.255.255.0) -> Local network
> > >
> > > Roger O. Svenning
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-questions" in the body of the message
> > >
> >
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?016a01c0c1d4$e69b0340$8701a8c0>