Greetings,
I am attempting to build a dual-homed firewall using FreeBSD 4.7
RELEASE. The PC is presently connected to a corporate LAN with DHCP
and
DNS servers and a broadband connection to the Internet.
The outside interface (rl0) is configured as follows:
IP address: a.b.148.62 (dynamically assigned)
Subnet: 255.255.248.0
Gateway: a.b.144.254
DNS: a.b.144.1
The inside interface (rl1) is configured as follows:
IP address: 192.168.1.1
Subnet: 255.255.255.0
My private network consists of one workstation which is set up as
follows:
IP address: 192.168.1.2
Subnet: 255.255.255.0
Gateway: 192.168.168.1
DNS: a.b.144.1
When I use the open ruleset in /etc/rc.firewall, the workstation
on my
private network can get through the firewall to the LAN and the
Internet. When I switch to the simple ruleset, the firewall stops
forwarding packets. From the console, I can ping the outside and
inside
interfaces, but nothing else. Everything looks normal in dmesg.
Additional info upon request!
Did you tweak the /etc/rc.firewall script to insert your IP address
ranges
into it? (look for the simple section of the script and tweak the
iif,
iip, oif, oip, etc ... values)
If that doesn't help, try posting the output of 'ipfw show' to the
list.
It'll make it a lot easier for folks to diagnose.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
Hope this helps:
/etc/rc.firewall:
[simple section]
oif=rl0
onet=a.b.144.0
omask=255.255.248.0
oip=a.b.148.62
iif=rl1
inet=192.168.1.0
imask=255.255.255.0
iip=192.168.1.1
/etc/rc.conf:
gateway_enable=YES
hostname=(hostname.domain)
ifconfig_rl0=DHCP
kern_securelevel=2
kern_securelevel_enable=YES
moused_enable=YES
nfs_server_enable=NO
saver=green
sendmail_enable=NO
sshd_enable=NO
ifconfig_rl1=inet 192.168.1.1 netmask 255.255.255.0
firewall_enable=YES
firewall_type=simple
natd_enable=YES
natd_interface=rl0
defaultrouter=a.b.144.254
natd_flags=-dynamic
Compiled kernel with these options:
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
ipfw show:
00100 00 allow ip from any to any via 1o0
00200 00 deny ip from any to 127.0.0.0/0
00300 00 deny ip from 127.0.0.0/8 to any
00400 00 deny ip from 192.168.1.0/24 to any in recv rl0
00500 00 deny ip from a.b.144.0/21 to any in recv rl1
00600 00 deny ip from any to 10.0.0.0/8 via rl0
00700 00 deny ip from any to 172.16.0.0/12 via rl0
00800 00 deny ip from any to 192.168.0.0/16 via rl0
00900 00 deny ip from any to 0.0.0.0/8 via rl0
01000 00 deny ip from any to 169.254.0.0/16 via rl0
01100 00 deny ip from any to 192.0.2.0/24 via rl0
01200 00 deny ip from any to 224.0.0.0/4 via rl0
01300 9 773 deny ip from any to 240.0.0.0/24 via rl0
01400 73 9535 divert 8668 ip from any to any via rl0
01500 00 deny ip from 10.0.0.0/8 to any via rl0
01600 00 deny ip from 172.16.0.0/12 to any via rl0
01700 00 deny ip from 192.168.0.0/16 to any via rl0
01800 00 deny ip 0.0.0.0/8 to any via rl0
01900 00 169.254.0.0/16 to any via rl0
02000 00 deny ip from 192.0.2.0/24 to any via rl0
02100 00 deny ip from 224.0.0.0/4 to any via rl0
02200 00 deny ip from 240.0.0.0/4 to any via rl0
02300 00 allow tcp form any to any established
02400 00 allow ip from any to any frag
02500 00 allow tcp from any to a.b.148.62 25 setup
02600 00 allow tcp from any to a.b.148.62 53 setup
02700 00 allow udp from any to a.b.148.62 53
02800 00 allow udp from a.b.148.62 53 to any
02900 00 allow tcp from any to a.b.148.62 80 setup
03000 00 deny log logamount 10 tcp from any to any in recv rl0
setup
03100 00 allow tcp from any to any setup
03200 26 1912 allow udp from a.b.148.62 to any 53 keep-state
03300 00 allow udp from a.b.148.62 to any 123 keep-state
65535 58 9215 deny ip from any to any
The counts for rules 1300, 1400, 3200 and 65535 keep incrementing. All
other rules are goose eggs.
BTW, I run 'ifconfig rl0' occasionally to make sure my dynamic IP
address has
not changed.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
