Re: Question for ipf setting on single NIC box
Hi Tom, Thanks for your reply. My connection for the single NIC FreeBSD Box ( previously worked fine ) , the ethernet switch, DSL Modem, and the internal network is as follow: ( I am sorry that I cannot draw it well. ) --- | FreeBSD Box | | ipf,ipnat | | runs here | de0_alias0 --- =192.168.1.0/24 (int.) | de0 = aaa.bbb.ccc.ddd/24 ( ext. ) (* de0 =12.168.1.0/24) | (* tun0 = dynamically assigned ) | --- --- | Switch|-| DSL Modem | - Telephone Line | | | | --- --- | | | |--- || --- --- | Windows 2000| |other PC | | | | | --- --- IP = 192.168.1.10 IP=192.168.1.11 (assigned by DHCPD ) (assigned by DHCPD) * Previously, I used ppp & ipnat, ipf for dialup link to ISP It was OK to set filtering rules for tun0 for ipf.rules The ipf run perfectly and filter the unwanted packets then. My previous ipf.rules block in on tun0 all block in quick on tun0 from 0.0.0.0/7 to any block in quick on tun0 from 2.0.0.0/8 to any block in quick on tun0 from 5.0.0.0/8 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 23.0.0.0/8 to any block in quick on tun0 from 27.0.0.0/8 to any block in quick on tun0 from 31.0.0.0/8 to any block in quick on tun0 from 70.0.0.0/7 to any block in quick on tun0 from 72.0.0.0/5 to any block in quick on tun0 from 83.0.0.0/8 to any block in quick on tun0 from 84.0.0.0/6 to any block in quick on tun0 from 88.0.0.0/5 to any block in quick on tun0 from 96.0.0.0/3 to any block in quick on tun0 from 127.0.0.0/8 to any block in quick on tun0 from 128.0.0.0/16 to any block in quick on tun0 from 128.66.0.0/16 to any block in quick on tun0 from 169.254.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 191.255.0.0/16 to any block in quick on tun0 from 192.0.0.0/19 to any block in quick on tun0 from 192.0.48.0/20 to any block in quick on tun0 from 192.0.64.0/18 to any block in quick on tun0 from 192.0.128.0/17 to any block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 197.0.0.0/8 to any block in quick on tun0 from 201.0.0.0/8 to any block in quick on tun0 from 204.152.64.0/23 to any block in quick on tun0 from 219.0.0.0/8 to any block in quick on tun0 from 220.0.0.0/6 to any block in quick on tun0 from 224.0.0.0/3 to any block in quick on tun0 from 192.168.1.0/24 to any # Your pass rules come here... pass in quick all block out on tun0 all block out quick on tun0 from !192.168.1.0/24 to any block out quick on tun0 from 192.168.1.0/24 to 0.0.0.0/7 block out quick on tun0 from 192.168.1.0/24 to 2.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 5.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 10.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 23.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 27.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 31.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 70.0.0.0/7 block out quick on tun0 from 192.168.1.0/24 to 72.0.0.0/5 block out quick on tun0 from 192.168.1.0/24 to 83.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 84.0.0.0/6 block out quick on tun0 from 192.168.1.0/24 to 88.0.0.0/5 block out quick on tun0 from 192.168.1.0/24 to 96.0.0.0/3 block out quick on tun0 from 192.168.1.0/24 to 127.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 128.0.0.0/16 block out quick on tun0 from 192.168.1.0/24 to 128.66.0.0/16 block out quick on tun0 from 192.168.1.0/24 to 169.254.0.0/16 block out quick on tun0 from 192.168.1.0/24 to 172.16.0.0/12 block out quick on tun0 from 192.168.1.0/24 to 191.255.0.0/16 block out quick on tun0 from 192.168.1.0/24 to 192.0.0.0/19 block out quick on tun0 from 192.168.1.0/24 to 192.0.48.0/20 block out quick on tun0 from 192.168.1.0/24 to 192.0.64.0/18 block out quick on tun0 from 192.168.1.0/24 to 192.0.128.0/17 block out quick on tun0 from 192.168.1.0/24 to 192.168.0.0/16 block out quick on tun0 from 192.168.1.0/24 to 197.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 201.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 204.152.64.0/23 block out quick on tun0 from 192.168.1.0/24 to 219.0.0.0/8 block out quick on tun0 from 192.168.1.0/24 to 220.0.0.0/6 block out quick on tun0 from 192.168.1.0/24 to 224.0.0.0/3 # Your pass rules come here... pass out quick all Of course, I substitute tun0 for de0 ( my new outside interface ) but ipf seems to block every packets no matter it is destined for de0_alias0 ( my internal interface ) or to the ext. interface (de0) Thank you again! Michael - Original Message - From: "Thomas Spreng" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 24, 2003 4:03 PM Subject: Re: Question for ipf setting on single NIC box > Hello, > > On We
Re: Question for ipf setting on single NIC box
Hello, On Wed, Sep 24, 2003 at 03:38:11PM +0800, Michael Lee(HINET) wrote: > Hi all, > > I only have a NIC on my FreeBSD Box. > > Here is my configuration: > ifconfig de0 aaa.bbb.ccc.ddd netmask 255.255.255.0 ( My External Interface ) > ifconfig de0_alias0 192.168.1.254 netmask 255.255.255.0 ( My Virtual > Internal Interface ) beware...de_alias0 is not a network interface, its just an alias. > and this is the result shown for ifconfig -L > > de0: flags=8843 mtu 1500 > inet aaa.bbb.ccc.ddd netmask 0xff00 broadcast aaa.bbb.ccc.255 > inet 192.168.1.254 netmask 0xff00 broadcast 192.168.1.255 > ether 00:80:c8:f6:7b:c7 > media: Ethernet autoselect (100baseTX ) > status: active > > ( aaa.bbb.ccc.ddd is the static IP I got from the ISP ) > > Everything seems OK to me that the NIC binds the virtual IP. > > The question is that while configuring ipf.rules and ipnat.rules > ( Originally, I use tun0 as the external interface for ppp dialup. > It is OK to set the ipf rules to block the incoming and outgoing packet > through tun0. ) > But now I switched to static IP DSL and I failed to configure the de0 ( ext. > if ) > while applying the following rules: > > block in quick on de0 from 192.168.0.0/16 to any > block out quick on de0 from 192.168.0.0/16 to any this will block all traffic from your de0 alias ip to anywhere else and all traffic from 192.168.0.0/16 to either your real inet address or to your alias. > After applying the above rules, ipf seems to block the packet on de0_alias0. > DHCPD cannot even send out packet to the local subnet ( 192.168.1.0/24 ) > ( ipf block all traffic that should be block in the outside interface ) ipf is supposed to block that because you blocked all traffic from 192.168.0.0/16 which includes 192.168.1.0/24. The alias and the real inet have the same interface name, that is 'de0'. But can you tell me where that local subnet is attached if you only have one nic in your box? > I can only add pass in quick all and pass out quick all now or the traffic > will be completely blocked . > However, to add only pass in quick all and pass out quick all seems not a > good idea for the firewall. > > Is there anyway to solve the problem ? Or if I wrongly configure ipf ? if you need more help, please tell exactly what and where do you want to bock/allow the traffic and how your network layout looks like. cheers, tom ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Question for ipf setting on single NIC box
Hi all, I only have a NIC on my FreeBSD Box. Here is my configuration: ifconfig de0 aaa.bbb.ccc.ddd netmask 255.255.255.0 ( My External Interface ) ifconfig de0_alias0 192.168.1.254 netmask 255.255.255.0 ( My Virtual Internal Interface ) and this is the result shown for ifconfig -L de0: flags=8843 mtu 1500 inet aaa.bbb.ccc.ddd netmask 0xff00 broadcast aaa.bbb.ccc.255 inet 192.168.1.254 netmask 0xff00 broadcast 192.168.1.255 ether 00:80:c8:f6:7b:c7 media: Ethernet autoselect (100baseTX ) status: active ( aaa.bbb.ccc.ddd is the static IP I got from the ISP ) Everything seems OK to me that the NIC binds the virtual IP. The question is that while configuring ipf.rules and ipnat.rules ( Originally, I use tun0 as the external interface for ppp dialup. It is OK to set the ipf rules to block the incoming and outgoing packet through tun0. ) But now I switched to static IP DSL and I failed to configure the de0 ( ext. if ) while applying the following rules: block in quick on de0 from 192.168.0.0/16 to any block out quick on de0 from 192.168.0.0/16 to any After applying the above rules, ipf seems to block the packet on de0_alias0. DHCPD cannot even send out packet to the local subnet ( 192.168.1.0/24 ) ( ipf block all traffic that should be block in the outside interface ) I can only add pass in quick all and pass out quick all now or the traffic will be completely blocked . However, to add only pass in quick all and pass out quick all seems not a good idea for the firewall. Is there anyway to solve the problem ? Or if I wrongly configure ipf ? Thank you! Michael Lee ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"