Mark Moellering wrote:

I have a problem which I think must be simple, I just can't figure out exactly what I need to do. I have a gateway / firewall (freebsd 6.1) with 3 nic cards. I just added the third card, rl1, which I have attached to a wireless access point. I can ping the access point from the firewall, but not from the rest of the internal (wired) network!!?? My wired network is 192.168.1 and the wireless access point is currently the default 192.168.0.229. rl1 is set to 192.168.0.210

Just one thing: have you checked the netmask on the hosts on your wired network?

Attached are netstat -r, my pf.conf and rc.conf from the firewall/gateway. Any and all help is appreciated.

comments on your ruleset:

#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#
# macros
int_if = "bge0"
ext_if = "rl0"
wint_if = "rl1"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $wint_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

You will probably like to replace "any" by !$priv_nets since only traffic to non private networks should exit on your external interface anyway.

# filter rules
block all

log what you block, so you can see what rule catches the missing traffic.

#pass in all

pass quick on lo0 all

block drop in on $ext_if from $priv_nets to any
block drop out on $ext_if from any to $priv_nets

You want to be quick here - right?

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

#allow access to web server
#pass in on $ext_if inet proto tcp from $XXX to 192.168.1.5 port 80 \
   flags S/SA keep state

Syntax error - you have a "flags ... " line with no rule.

pass in inet proto icmp all icmp-type $icmp_types keep state

Ok, so you allow icmp from anywhere to anywhere on any interface?

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

In this and the following, the out rule only match traffic originating from the firewall since you have keep state on you in-rules.

pass in on $wint_if from $wint_if:network to any keep state
pass out on $wint_if from any to $wint_if:network keep state

pass in on $wint_if from $int_if:network to any keep state
pass in on $int_if from $wint_if:network to any keep state

These two rules will NEVER match - you can't have traffic with origin your wired network coming in on your wireless interface.

pass out on $wint_if from any to $int_if:network keep state
pass out on $int_if from any to $wint_if:network keep state

Same as above - you can't have traffic out on your wireless network interface when it's destined to a network block on the wired network.

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   user proxy keep state

Some general stuff:

- Allways add "log" to your block rules to see where things are caught.

- Allways use quick when you decide on an action opposite of default,
  in this case "pass", or you may have other rules messing up.

- Organize your ruleset as follows: per direction, per interface,
  per protocol, (per origin this is normally given by the interface),
  per destination. Doing so will make it easier to read and check that
  you have all combinations. This organization also makes the firewall
  faster.

- Avoid use of the "any/all" keyword in rules with the "quick" keyword.
  Rules using "any/all" should be placed last since these will catch any
  remaining packets. The only exception is the default action which
  doesn't have the "quick" keyword - I like to have it explicit at top.

However, I don't see any rules that should block traffic between your two networks.

Cheers, Erik
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to