IPFW, natd, redirect_address help needed
Hi there, I have been trying to set up an embedded system from soekris, running a small version of freebsd on it's internal compact flash hard disk. The machine is built, I have remote access to it and I intend to use it as a firewall + nat appliance. Directing traffic from machines internally to external IP addresses. I have gotten everything running, however my test for the machines behind the new firewall keep failing. I can ping the firewall itself, but not anything past it. The pings just dissapear. From the firewall I can ping anythign by either hostname or IP. What I have not figured out is why my machines behind the firewall cannot ping out past the firewall, or get any other traffic out either. my ipfw list is: --- 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10300 allow udp from any to any 53 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow tcp from any to any 53 keep-state out xmit sis0 10700 allow tcp from any to any 53 keep-state in recv sis1 10800 allow tcp from any to any 25 keep-state out xmit sis0 10900 allow tcp from any to any 25 keep-state in recv sis1 11000 allow tcp from any to any 22 keep-state out xmit sis0 11100 allow tcp from any to any 22 keep-state in recv sis1 11200 allow udp from me to any 67 keep-state out xmit sis0 11300 allow icmp from any to any 65535 deny ip from any to any and my netstat -rn is: --- Routing table: -- DestinationGatewayFlags Netif Use default66.180.229.177 UGScsis02 10.1.1.0/24link#2 UC sis10 xxx.xxx.xxx.xxxlink#1 UC sis00 - network xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway 127.0.0.1 127.0.0.1 UH lo0 0 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW, natd, redirect_address help needed
Do you have gateway_enable=YES in your firewall? Can you get packets through both directions just fine with the firewall set to OPEN? David Terrac Skiens wrote: Hi there, I have been trying to set up an embedded system from soekris, running a small version of freebsd on it's internal compact flash hard disk. The machine is built, I have remote access to it and I intend to use it as a firewall + nat appliance. Directing traffic from machines internally to external IP addresses. I have gotten everything running, however my test for the machines behind the new firewall keep failing. I can ping the firewall itself, but not anything past it. The pings just dissapear. From the firewall I can ping anythign by either hostname or IP. What I have not figured out is why my machines behind the firewall cannot ping out past the firewall, or get any other traffic out either. my ipfw list is: --- 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10300 allow udp from any to any 53 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow tcp from any to any 53 keep-state out xmit sis0 10700 allow tcp from any to any 53 keep-state in recv sis1 10800 allow tcp from any to any 25 keep-state out xmit sis0 10900 allow tcp from any to any 25 keep-state in recv sis1 11000 allow tcp from any to any 22 keep-state out xmit sis0 11100 allow tcp from any to any 22 keep-state in recv sis1 11200 allow udp from me to any 67 keep-state out xmit sis0 11300 allow icmp from any to any 65535 deny ip from any to any and my netstat -rn is: --- Routing table: -- DestinationGatewayFlags Netif Use default66.180.229.177 UGScsis02 10.1.1.0/24link#2 UC sis10 xxx.xxx.xxx.xxxlink#1 UC sis00 - network xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway 127.0.0.1 127.0.0.1 UH lo0 0 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- David Cramblett Network and Information Services Multnomah Education Service District phn: 503-257-1535 fax: 503-257-1538 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW, natd, redirect_address help needed
since this is a super small distribution I do not have the default open, closed, and client firewall configs. The set I am using is based on the client one though, however I adjusted it to allow traffic from the inside to the outside on specific ports and hopefully keep-state to let the returning packets back in. Thats right isn't it? -terrac On Tue, 5 Nov 2002, David Cramblett wrote: Do you have gateway_enable=YES in your firewall? Can you get packets through both directions just fine with the firewall set to OPEN? David Terrac Skiens wrote: Hi there, I have been trying to set up an embedded system from soekris, running a small version of freebsd on it's internal compact flash hard disk. The machine is built, I have remote access to it and I intend to use it as a firewall + nat appliance. Directing traffic from machines internally to external IP addresses. I have gotten everything running, however my test for the machines behind the new firewall keep failing. I can ping the firewall itself, but not anything past it. The pings just dissapear. From the firewall I can ping anythign by either hostname or IP. What I have not figured out is why my machines behind the firewall cannot ping out past the firewall, or get any other traffic out either. my ipfw list is: --- 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10300 allow udp from any to any 53 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow tcp from any to any 53 keep-state out xmit sis0 10700 allow tcp from any to any 53 keep-state in recv sis1 10800 allow tcp from any to any 25 keep-state out xmit sis0 10900 allow tcp from any to any 25 keep-state in recv sis1 11000 allow tcp from any to any 22 keep-state out xmit sis0 11100 allow tcp from any to any 22 keep-state in recv sis1 11200 allow udp from me to any 67 keep-state out xmit sis0 11300 allow icmp from any to any 65535 deny ip from any to any and my netstat -rn is: --- Routing table: -- DestinationGatewayFlags Netif Use default66.180.229.177 UGScsis02 10.1.1.0/24link#2 UC sis10 xxx.xxx.xxx.xxxlink#1 UC sis00 - network xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway 127.0.0.1 127.0.0.1 UH lo0 0 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- David Cramblett Network and Information Services Multnomah Education Service District phn: 503-257-1535 fax: 503-257-1538 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW, natd, redirect_address help needed
well you could simply do an ipfw flush and then use ipfw command line to add back the rule for the loopback device and the natd divert line (looks like your using natd?), then do a: ipfw add pass all from any to any and make sure that you can send and recive traffic in both directions without any deny firewall rules in place. If you want to test with the current rules in place, you may want to add a line to log all connections, if you have the disk space for it and then tail -f your security log and see what packets are getting denied/accepted and why. David Terrac Skiens wrote: since this is a super small distribution I do not have the default open, closed, and client firewall configs. The set I am using is based on the client one though, however I adjusted it to allow traffic from the inside to the outside on specific ports and hopefully keep-state to let the returning packets back in. Thats right isn't it? -terrac On Tue, 5 Nov 2002, David Cramblett wrote: Do you have gateway_enable=YES in your firewall? Can you get packets through both directions just fine with the firewall set to OPEN? David Terrac Skiens wrote: Hi there, I have been trying to set up an embedded system from soekris, running a small version of freebsd on it's internal compact flash hard disk. The machine is built, I have remote access to it and I intend to use it as a firewall + nat appliance. Directing traffic from machines internally to external IP addresses. I have gotten everything running, however my test for the machines behind the new firewall keep failing. I can ping the firewall itself, but not anything past it. The pings just dissapear. From the firewall I can ping anythign by either hostname or IP. What I have not figured out is why my machines behind the firewall cannot ping out past the firewall, or get any other traffic out either. my ipfw list is: --- 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10300 allow udp from any to any 53 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow tcp from any to any 53 keep-state out xmit sis0 10700 allow tcp from any to any 53 keep-state in recv sis1 10800 allow tcp from any to any 25 keep-state out xmit sis0 10900 allow tcp from any to any 25 keep-state in recv sis1 11000 allow tcp from any to any 22 keep-state out xmit sis0 11100 allow tcp from any to any 22 keep-state in recv sis1 11200 allow udp from me to any 67 keep-state out xmit sis0 11300 allow icmp from any to any 65535 deny ip from any to any and my netstat -rn is: --- Routing table: -- DestinationGatewayFlags Netif Use default66.180.229.177 UGScsis02 10.1.1.0/24link#2 UC sis10 xxx.xxx.xxx.xxxlink#1 UC sis00 - network xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway 127.0.0.1 127.0.0.1 UH lo0 0 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
