Firewall Setup

Kevin O'Connor kevin at ziptek-technologies.co.uk
Sun Dec 21 02:53:00 GMT 2003


Steve, are you saying you have set a bridge between em0 and em1 with
both NICs having IP addresses. If this is the case it is incorrect and
will not bridge properly, only 1 of the cards in a bridge should have an
IP address assigned, in fact it will work with no IP addresses assigned.
Also you need the bridge option enabled in the kernel.

Please see the handbook
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridgi
ng.html

As a quick fix try setting static routes in /etc/rc.conf
Regards
Kevin

-----Original Message-----
From: freebsd-users-admin at uk.freebsd.org
[mailto:freebsd-users-admin at uk.freebsd.org] On Behalf Of Steve Greenshaw
Sent: 20 December 2003 22:16
To: freebsd-users at freebsd-uk.eu.org
Subject: Firewall Setup

Hi,

I wonder if anyone could suggest whether what I am attempting is
possible?


                         INTERNET
                                 |
                          ROUTER
                        xxx.xxx.xxx.1
                                 |
               xxx.xxx.xxx.2(alias)em0
               ______FREEBSD_______
              |                                           |
           em1                           192.168.1.1 (em2)
              |                                           |
          DMZ                                PRIVATE
 xxx.xxx.xxx.xxx/24                 192.168.1.0/24


This setup is on FreeBSD 4.9 with IPFILTER and IPNAT. This choice,
rather
than IPFW and NATD is so that the GUI 'fwbuilder' (www.fwbuilder.org)
can be
used by several admins who are purely Windows users. At a pinch I could
use
IPFW with fwbuilder and just write any NAT rules myself for NATD, but
it's
much neater to have fwbuilder do the lot.

The xxx.xxx.xxx.xxx addresses are public IP's from the same single class
C
network. For historical and management/manpower reasons it is just not
possible to subnet this network at present so I've set up a bridge
between
em0 and em1 with em0 having an aliased address that ipnat uses for
outbound
connections from the 192.168.1.0/24 network.

Preliminary testing has shown that filtering can and does take place to
allow only restricted services access to certain adresses within the
DMZ,
whilst allowing the DMZ access to necessary services on the internet.
NAT
works fine to allow the PRIVATE net access to the internet.

My problem is that no matter what I do (i.e. the only rule now in place
is
to allow all to any via any) I cannot reach the DMZ from within the
PRIVATE
network. I need to do this to get at DNS, SMTP etc. I just can't see why
this is not possible or where I am going wrong. From the firewall box
itself
I get a 'no route to host' if I try to contact a machine on the DMZ. I
can
contact the router though. It's as if the default route for the
xxx.xxx.xxx.xxx/24 network is via em0 (which I can understand), but I
understood that a bridge between em0 and em1 would mean that anything
broadcast on em0 would also be broadcast on em1 so allowing me access to
the
DMZ.

Is there a routing entry that I'm missing somewhere? I'm not actually
setting any routes but the default gateway in rc.conf of xxx.xxx.xxx.1.

Any suggestions or pointers would be appreciated.

Cheers,

Steve.



------ FreeBSD UK Users' Group  -  Mailing List ------
http://listserver.uk.freebsd.org/mailman/listinfo/freebsd-users






More information about the Ukfreebsd mailing list