Date: Tue, 3 Oct 2006 16:38:04 +1000 From: Norberto Meijome <freebsd@meijome.net> To: Matt Herzog <msh@blisses.org> Cc: freebsd-stable@freebsd.org Subject: Re: ipfilter nat w/IPFILTER_DEFAULT_BLOCK kernel Message-ID: <20061003163804.1dbce904@localhost> In-Reply-To: <20061001003028.GK13429@mail.blisses.org> References: <20061001003028.GK13429@mail.blisses.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 30 Sep 2006 20:30:28 -0400 Matt Herzog <msh@blisses.org> wrote: > As the Subject states, I'm trying to get a FreeBSD 6.1 on sparc64 to be a > firewall/gateway/nat machine using a IPFILTER_DEFAULT_BLOCK kernel. > (hme0 is the external NIC. hme1 is the internal NIC.) > > If I remove the line: > > pass in quick on hme0 all > > none of the machines inside the NAT can reach the Internet although I can > still ssh into the firewall/gateway machine from inside the NAT. > i.e. NAT breaks without "pass in quick on hme0 all" I haven't read all your config...but i think the problem you are having is that you are either blocking ALL traffic to hme0 (by removing the 'allow all'), or allowing all (including external traffic! ) with 'pass in quick on hme0 all'. You need to be more specific about what you allow in and out. Read the following and you'll get a better understanding of how it works. Howto : http://www.obfuscation.org/ipf/ipf-howto.pdf : http://www.nwo.net/ipf/ipf-howto.html (html format of the pdf) > > "pass in quick on hme0 all" pretty obviously defeats the purpose of the > IPFILTER_DEFAULT_BLOCK kernel so I'm trying to figure out a rule set that > will work with NAT. well, yes, you are not supposed to open your firewall completely - just enough to allow you to do whatever you want :) Good luck, B _________________________ {Beto|Norberto|Numard} Meijome Sysadmins can't be sued for malpractice, but surgeons don't have to deal with patients who install new versions of their own innards. I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061003163804.1dbce904>