On Wed, Sep 24, 2003 at 03:38:11PM +0800, Michael Lee(HINET) wrote:
> Hi all,
> I only have a NIC on my FreeBSD Box.
> Here is my configuration:
> ifconfig de0 aaa.bbb.ccc.ddd netmask ( My External Interface )
> ifconfig de0_alias0 netmask ( My Virtual
> Internal Interface )
beware...de_alias0 is not a network interface, its just an alias.

> and this is the result shown for ifconfig -L
>         inet aaa.bbb.ccc.ddd netmask 0xffffff00 broadcast aaa.bbb.ccc.255
>         inet netmask 0xffffff00 broadcast
>         ether 00:80:c8:f6:7b:c7
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> ( aaa.bbb.ccc.ddd is the static IP I got from the ISP )
> Everything seems OK to me that the NIC binds the virtual IP.
> The question is that while configuring ipf.rules and ipnat.rules
> ( Originally, I use tun0 as the external interface for ppp dialup.
> It is OK to set the ipf rules to block the incoming and outgoing packet
> through tun0. )
> But now I switched to static IP DSL and I failed to configure the de0 ( ext.
> if )
> while applying the following rules:
> block in quick on de0 from to any
> block out quick on de0 from to any
this will block all traffic from your de0 alias ip to anywhere else and all
traffic from to either your real inet address or to your

> After applying the above rules, ipf seems to block the packet on de0_alias0.
> DHCPD cannot even send out packet to the local subnet ( )
> ( ipf block all traffic that should be block in the outside interface )

ipf is supposed to block that because you blocked all traffic from which includes The alias and the real
inet have the same interface name, that is 'de0'.
But can you tell me where that local subnet is attached if you only have
one nic in your box?
> I can only add pass in quick all and pass out quick all now or the traffic
> will be completely blocked .
> However, to add only pass in quick all and pass out quick all seems not a
> good idea for the firewall.
> Is there anyway to solve the problem ? Or if I wrongly configure ipf ?

if you need more help, please tell exactly what and where do you want to
bock/allow the traffic and how your network layout looks like.

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to