Re: ipfw/natd questions

2003-01-16 Thread Axel Gruner 
On Wed, 15 Jan 2003 19:08:08 -0600
Redmond Militante [EMAIL PROTECTED] wrote:
[...]
 at the moment, it's not working.
 on machine 2, i can't ping www.freebsd.org - i get 'hostname lookup
 failure', i can't ping xl0 - external nic on machine 1 - ping
 129.x.x.35 gives me a 'host is down message' machine 2 can ping it's
 own static ip successfully - ping 129.x.x.20 works machine 2 can ping
 its own hostname successfully - ping machine2.hostname.com works
 sorry if this is long, i've been messing with this all day and i think
 i'm doing it right. can you guys tell if i'm missing something
 obvious?

What about your /etc/resolv.conf? On both machines?
Did you insert the namserver of your ISP? 


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: ipfw/natd questions

2003-01-16 Thread John 

 - i've run an ethernet cable from xl1 - integrated intel 1000 pro nic on
machine 1 - to machine 2's nic.
 i've edited machine 2's /etc/rc.conf so that it points to the internal
nic - xl1 on machine 1 as it's default gateway:

Ethernet cable?  Or crossover cable?
If it's straight cable, you need another hub and cable.. or a crossover
cable instead.

 snip
 defaultrouter=10.20.155.1
 hostname=machine2.hostname.com
 ifconfig_xl0=inet 129.x.x.20 netmask 255.255.255.0
 snip

On another note, if I read that correctly.. you connected a nic that is
configured with IP of 129.x.x.x to a nic with an IP of 10.x.x.x.
You would more than likely want the nic on machine2 to be on the 10.x.x.x
subnet for this configuration.

Afterwards, you should at least be able to ping your internal interface on
machine1 from machine2 (It looks like you're allowing it in your IPFW
rules...).

Once you can ping.. (or begin to see traffic on the internal interface in
the logs for IPFW), you can start troubleshooting the IPFW rules, if
necessary.

HTH,
John




To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

ipfw/natd questions

2003-01-15 Thread Redmond Militante 

now i'm trying to set up a gateway box using ipfw/natd. i have 2 test machines - 
machine 1 has two nics, one's an integrated intel 1000 pro, the other is an old pci 
3com 3c905b. machine 1 has a static ip and hostname. machine 2 is virtually identical 
except it has only one nic - the intel 1000 pro integrated. machine 2 also has a 
static ip and hostname. i'd like machine 1 to act as a gateway/packet filtering 
firewall/natd box. i'd like to hook up machine 2 to the internal network interface 
card of machine 1 and be able to filter/log/divert packets bound for machine 2 through 
ipfw/natd on machine 1.

i've been basically following the instructions at 
http://www.mostgraveconcern.com/freebsd/ for 'setting up a dual-homed host'

- on machine 1, ifconfig returns

xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=3rxcsum,txcsum
inet 129.x.x.35 netmask 0xff00 broadcast 129.x.x.255
inet6 fe80::210:5aff:fec6:8bcb%xl0 prefixlen 64 scopeid 0x1 
ether 00:10:5a:c6:8b:cb
media: Ethernet autoselect (100baseTX full-duplex )
status: active
xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=3rxcsum,txcsum
inet 10.20.155.1 netmask 0xff00 broadcast 10.20.155.255
inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2 
ether 00:06:5b:80:98:5b
media: Ethernet autoselect (none)
status: no carrier

i'd like xl0 to be my external nic, and xl1 to be my internal nic

-on machine 1, my /etc/rc.conf reads

ifconfig_xl0=inet 129.x.x.35 netmask 255.255.255.0
ifconfig_xl1=inet 10.20.155.1 netmask 255.255.255.0
gateway_enable=YES
#required for ipfw support
firewall_enable=YES
firewall_script=/etc/rc.ipfw
firewall_type=open
firewall_quiet=NO #change to yes once happy with rules
firewall_logging_enable=YES
#extra firewalling options
log_in_vain=YES
tcp_drop_synfin=YES
icmp_drop_redirect=YES
natd_program=/sbin/natd
natd_enable=YES
natd_interface=xl0
natd_flags=-f /etc/natd.conf

- machine 1's kernel has been recompiled with the following options

#to enable ipfirewall with default to deny all packets
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
#to hide the firewall from traceroute
options IPSTEALTH
options IPDIVERT
#to hide from nmap
options TCP_DROP_SYNFIN

- machine's firewall_script, /etc/rc.ipfw, is taken from the tutorial mostly verbatim, 
the only part of it i changed was

# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi

if [ -n ${1} ]; then
firewall_type=${1}
fi

# Firewall program
fwcmd=/sbin/ipfw
# Outside interface network and netmask and ip
oif=xl0
onet=129.x.x.1
omask=255.255.255.0
oip=129.x.x.35

# Inside interface network and netmask and ip
iif=xl1
inet=10.20.155.0
imask=255.255.255.0
iip=10.20.155.1

# My ISP's DNS servers
dns1=129.x.x.1
dns2=165.x.x.21

# Flush previous rules
${fwcmd} -f flush

# Allow loopbacks, deny imposters
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via ${natd_interface}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from