Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!news.hawaii.edu!ames!news.larc.nasa.gov!lerc.nasa.gov!magnus.acs.ohio-state.edu!math.ohio-state.edu!jussieu.fr!oleane!hole.news.pipex.net!pipex!tube.news.pipex.net!pipex!lade.news.pipex.net!pipex!tank.news.pipex.net!pipex!dispatch.news.demon.net!demon!awfulhak.demon.co.uk!awfulhak.demon.co.uk!not-for-mail
From: brian@awfulhak.demon.co.uk (Brian Somers)
Newsgroups: comp.unix.bsd.freebsd.misc,comp.security.firewalls
Subject: Re: HELP: installing IPFW (FreeBSD 2.1.0)
Followup-To: comp.unix.bsd.freebsd.misc,comp.security.firewalls
Date: 31 May 1996 22:48:18 +0100
Organization: Coverform Ltd.
Lines: 72
Message-ID: <4onpf2$g3@anorak.coverform.lan>
References: <4omcss$6fa@gwdu19.gwdg.de>
NNTP-Posting-Host: anorak.coverform.lan
X-NNTP-Posting-Host: awfulhak.demon.co.uk
X-Newsreader: TIN [version 1.2 PL2]
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:20444 comp.security.firewalls:2643
Stefan Witzel (switzel@uni-goettingen.de) wrote:
: Up to now we have a seperate network with IP addresses say a.b.c.d.
: (netmask 255.255.0.0, broadcast a.b.255.255 set on all machines.
: I want to connect this net to another using FreeBSD as an packet
: filter. I install a FreeBSD machine with 2 interfaces and IPFW
: enabled. For testing purposes I set up a test bed:
: External Hub
: I I
: I +------------+
: I I I
: +------------------------+ I
: I "External Machine" I I
: I I I
: I IP address a.b.c.w I I
: I netmask 255.255.0.0 I I
: I broadcast a.b.255.255 I I
: +------------------------+ I
: I
: I
: +------------------------+------------------------+
: I Packet Filter I
: I ed0 I ed1 I
: I IP address a.b.c.x I IP address a.b.c.y I
: I netmask 255.255.0.0 I netmask 255.255.0.0 I
: I broadcast a.b.255.255 I broadcast a.b.255.255 I
: +------------------------+------------------------+
: I
: Internal Hub
: I
: I
: +------------------------+
: I "Internal Machine" I
: I I
: I IP address a.b.c.z I
: I netmask 255.255.0.0 I
: I broadcast a.b.255.255 I
: +------------------------+
: Testing the configuration with ping I got the following results
: (no ipfw rules given):
: from to result
: ---------------------------------
: a.b.c.w a.b.c.x success :-)
: a.b.c.w a.b.c.y failure :-)
: a.c.c.z a.b.c.x failure :-)
: but: a.b.c.z a.b.c.y failure :-(
: Is there anything wrong in my configuration ? Have I to set up a
: subnet to protect the machines behind the packet filter ?
: Thanks in advance.
You may have two problems. First, you havn't got two seperate networks - they're
both a.b.0.0/16 - except for the bit where you mention a.c.c.z ! You probably mean
to have a.b.c.0/8 and a.b.d.0/8 - ie, two class C subnets. Without this, the
"Packet Filter" machine hasn't got a chance: When it receives a packet going from
a.b.c.w to a.b.c.y, it won't forward it because there's no point. Forwarding only
happens to packets that are running around on the wrong wire !
Once you sort things out network-wise, make sure that you've run a command
sysctl -w net.inet.ip.forwarding=1
at some point. Once you can ping through the "Packet Filter" machine, then you
can start mucking around with ipfw.
--
Brian <brian@awfulhak.demon.co.uk>
Don't _EVER_ lose your sense of humour....