Thread: Firewall routing
View Single Post
  #1   (View Single Post)  
Old 30th October 2008
Magoo Magoo is offline
New User
  
Join Date: Oct 2008
Posts: 6
Default Firewall routing
I have a device rl0 for the wan and a device rl1 from the lan. The lan has no problem leasing clients via dhcpd and the wan has no problem retrieving a lease via dhclient. The problem is that the traffic coming from the lan does not pass on to the wan. I'm assuming I may have a routing problem, but I'm not sure. Any assistance is appreciated, please let me know if you need more information. Here is the critical configuration info:

Code:
# netstat -rn

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            XXX.XXX.XXX.1        UGS         0        5    rl0
XXX.XXX.XXX/22       link#1             UC          0        0    rl0
XXX.XXX.XXX.1        00:1a:2f:8b:30:05  UHLW        2        0    rl0   1199
127.0.0.1          127.0.0.1          UH          0        0    lo0
169.254.75/24      link#2             UC          0        0    rl1
169.254.75.254     00:1f:33:cd:a9:59  UHLW        1      358    rl1   1170

----------------
# cat /etc/rc.conf

gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
ipnat_enable="YES"
ifconfig_rl1="inet 169.254.75.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dhcpd_ifaces="rl1"
sshd_enable="YES"
ifconfig_rl0="DHCP"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"

------------------
# cat /etc/ipfw.rules

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out

# deny and log everything
$IPF 500 deny log all from any to any

----------------------
# cat /usr/src/sys/i386/conf/MYKERNEL

[truncated]
options         IPFIREWALL
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPFIREWALL_FORWARD
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=10
options         IPDIVERT
[truncated]
Last edited by Magoo; 30th October 2008 at 01:39 AM.
Reply With Quote