On Sat, 24 Nov 2007, Alaor Barroso de Carvalho Neto wrote: > 2007/11/24, Ian Smith <[EMAIL PROTECTED]>: > > > > ipfw works fine too for these sorts of network policy separation :) > > > So ipfilter is not recommended by you guyz?
No I didn't mean that; use your own favourite packet filter, any of them can handle what you've described. Bill suggested pf - lots of people seem to like it a lot - and I use ipfw because I (mostly) know how to. > > I'm not saying this odd netmask explains your problem, nor that I fully > > understand the effect of non-contiguous netmasks, but it's worth fixing. > > > My fault again, the mask is 255.255.255.224, I messed up the things the 27 > come from XXX.XXX.XXX.XXX/27, you're right! But in the config file it's > .224. Ok. Pasted output of 'ifconfig' and 'netstat -finet -nr' may help .. it's easier to parse familiar machine output than textual descriptions. > On which machine/s is NAT translation taking place? Eg if 10.10/16 were > > allowed access to the internet via here, where would they get NAT'd to > > the external IP? > > > > Cheers, Ian > > > > The ipfilter was nating, but I'm not sure about the NAT rules inside the > config file, I must recheck it monday, I just tested the redirection rules, > do you think this can be the problem? Dunno. I'd just run tcpdump in a different terminal for each interface and watch the traffic; what gets forwarded, or not, what gets translated by NAT, or not. As you said, pings are a useful start, as can be adding temporary firewall rules to log everything in and out per interface .. I know next to nothing about routed(8) and RIP, nor why you might prefer it to static and cloned routing, but taking it out of the mix might help with debugging until your basic routing and filtering works right? HTH, Ian _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"