OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: NAT and /etc/rc.firewall
From: Paul Mielke (paulmsecurify.com)
Date: Wed Apr 12 2000 - 18:41:54 CDT

At 05:23 PM 4/12/00 -0700, Ron Smith wrote:

...

>NAT doesn't work for anyone on the LAN trying to reach the internet through 'firewall_type="simple"', but works fine with 'firewall_type="open"'. Do you think the above setting are correct, and in the right place.
>
>Can anyone give me a hand? Everything looks O.K. to me, unless I'm missing something. Maybe there's something I'm missing altogether when I try to go 'firewall_type="simple"' and use those stock rules, as is, in '/etc/rc.firewall'. If I need to make changes there, could someone mail me a sample of some rules that work for NAT+ipfw.

Hi, Ron.

I just took a quick look at the stock rc.firewall and I don't think that's enough info to allow remote
diagnosis of the problem. I don't have access to my firewall from my current location, so I
can't send you my working config files at this point. Maybe later this evening.

For now, I would suggest that you try to diagnose the problem by either using "ipfw show"
or by using the 'log' keyword on all the ipfw rules to figure out which rule is the one that is
trashing your packets.

For example, do the following:

ipfw show > fw.stats.after
do some operation that fails
ipfw show > fw.stats.after

ipfw will update the counters on each rule every time one of them fires. By diffing the
two stats files, you can figure out which rule is the offending one. When I went through the
initial phase of getting my setup working, I spent a lot of time iterating on the above steps
interspersed with poring over the ipfw manpage.

Regards,
Paul

Paul Mielke paulmalumni.stanford.org
Securify, Inc. 650-812-9400 x4118

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message