Re: ipfw/natd questions

2003-01-16 Thread John 

> - i've run an ethernet cable from xl1 - integrated intel 1000 pro nic on
machine 1 - to machine 2's nic.
> i've edited machine 2's /etc/rc.conf so that it points to the internal
nic - xl1 on machine 1 as it's default gateway:

Ethernet cable?  Or crossover cable?
If it's straight cable, you need another hub and cable.. or a crossover
cable instead.

> 
> defaultrouter="10.20.155.1"
> hostname="machine2.hostname.com"
> ifconfig_xl0="inet 129.x.x.20 netmask 255.255.255.0"
> 

On another note, if I read that correctly.. you connected a nic that is
configured with IP of 129.x.x.x to a nic with an IP of 10.x.x.x.
You would more than likely want the nic on machine2 to be on the 10.x.x.x
subnet for this configuration.

Afterwards, you should at least be able to ping your internal interface on
machine1 from machine2 (It looks like you're allowing it in your IPFW
rules...).

Once you can ping.. (or begin to see traffic on the internal interface in
the logs for IPFW), you can start troubleshooting the IPFW rules, if
necessary.

HTH,
John




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

[r-militante@northwestern.edu: Re: ipfw/natd questions]

2003-01-16 Thread Redmond Militante 
- Forwarded message from Redmond Militante <[EMAIL PROTECTED]> -

Date: Thu, 16 Jan 2003 07:20:30 -0600
From: Redmond Militante <[EMAIL PROTECTED]>
To: Axel Gruner <[EMAIL PROTECTED]>
Subject: Re: ipfw/natd questions
Reply-To: Redmond Militante <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.4i
X-Sender: [EMAIL PROTECTED]
X-URL: 
http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1
X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836
X-Tofu: The other white meat substitute.

hello! thanks for responding. my isp has two nameservers.  they are listed by ip in 
the resolv.conf files on both machines.

am i missing a divert rule in my rc.ipfw?

> On Wed, 15 Jan 2003 19:08:08 -0600
> Redmond Militante <[EMAIL PROTECTED]> wrote:
> [...]
> > at the moment, it's not working.
> > on machine 2, i can't ping www.freebsd.org - i get 'hostname lookup
> > failure', i can't ping xl0 - external nic on machine 1 - ping
> > 129.x.x.35 gives me a 'host is down message' machine 2 can ping it's
> > own static ip successfully - ping 129.x.x.20 works machine 2 can ping
> > its own hostname successfully - ping machine2.hostname.com works
> > sorry if this is long, i've been messing with this all day and i think
> > i'm doing it right. can you guys tell if i'm missing something
> > obvious?
> 
> What about your /etc/resolv.conf? On both machines?
> Did you insert the namserver of your ISP? 
> 
> 
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-questions" in the body of the message
> 



- End forwarded message -



msg15657/pgp0.pgp
Description: PGP signature

Re: ipfw/natd questions

2003-01-16 Thread Axel Gruner 
On Wed, 15 Jan 2003 19:08:08 -0600
Redmond Militante <[EMAIL PROTECTED]> wrote:
[...]
> at the moment, it's not working.
> on machine 2, i can't ping www.freebsd.org - i get 'hostname lookup
> failure', i can't ping xl0 - external nic on machine 1 - ping
> 129.x.x.35 gives me a 'host is down message' machine 2 can ping it's
> own static ip successfully - ping 129.x.x.20 works machine 2 can ping
> its own hostname successfully - ping machine2.hostname.com works
> sorry if this is long, i've been messing with this all day and i think
> i'm doing it right. can you guys tell if i'm missing something
> obvious?

What about your /etc/resolv.conf? On both machines?
Did you insert the namserver of your ISP? 


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

ipfw/natd questions

2003-01-15 Thread Redmond Militante 

now i'm trying to set up a gateway box using ipfw/natd. i have 2 test machines - 
machine 1 has two nics, one's an integrated intel 1000 pro, the other is an old pci 
3com 3c905b. machine 1 has a static ip and hostname. machine 2 is virtually identical 
except it has only one nic - the intel 1000 pro integrated. machine 2 also has a 
static ip and hostname. i'd like machine 1 to act as a gateway/packet filtering 
firewall/natd box. i'd like to hook up machine 2 to the internal network interface 
card of machine 1 and be able to filter/log/divert packets bound for machine 2 through 
ipfw/natd on machine 1.

i've been basically following the instructions at 
http://www.mostgraveconcern.com/freebsd/ for 'setting up a dual-homed host'

- on machine 1, ifconfig returns

xl0: flags=8843 mtu 1500
options=3
inet 129.x.x.35 netmask 0xff00 broadcast 129.x.x.255
inet6 fe80::210:5aff:fec6:8bcb%xl0 prefixlen 64 scopeid 0x1 
ether 00:10:5a:c6:8b:cb
media: Ethernet autoselect (100baseTX  )
status: active
xl1: flags=8843 mtu 1500
options=3
inet 10.20.155.1 netmask 0xff00 broadcast 10.20.155.255
inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2 
ether 00:06:5b:80:98:5b
media: Ethernet autoselect (none)
status: no carrier

i'd like xl0 to be my external nic, and xl1 to be my internal nic

-on machine 1, my /etc/rc.conf reads

ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0"
ifconfig_xl1="inet 10.20.155.1 netmask 255.255.255.0"
gateway_enable="YES"
#required for ipfw support
firewall_enable="YES"
firewall_script="/etc/rc.ipfw"
firewall_type="open"
firewall_quiet="NO" #change to yes once happy with rules
firewall_logging_enable="YES"
#extra firewalling options
log_in_vain="YES"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
natd_program="/sbin/natd"
natd_enable="YES"
natd_interface="xl0"
natd_flags="-f /etc/natd.conf"

- machine 1's kernel has been recompiled with the following options

#to enable ipfirewall with default to deny all packets
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
#to hide the firewall from traceroute
options IPSTEALTH
options IPDIVERT
#to hide from nmap
options TCP_DROP_SYNFIN

- machine's firewall_script, /etc/rc.ipfw, is taken from the tutorial mostly verbatim, 
the only part of it i changed was

# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi

if [ -n "${1}" ]; then
firewall_type="${1}"
fi

# Firewall program
fwcmd="/sbin/ipfw"
# Outside interface network and netmask and ip
oif="xl0"
onet="129.x.x.1"
omask="255.255.255.0"
oip="129.x.x.35"

# Inside interface network and netmask and ip
iif="xl1"
inet="10.20.155.0"
imask="255.255.255.0"
iip="10.20.155.1"

# My ISP's DNS servers
dns1="129.x.x.1"
dns2="165.x.x.21"

# Flush previous rules
${fwcmd} -f flush

# Allow loopbacks, deny imposters
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via ${natd_interface}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169