ipfw with NAT and ARP

Supote Leelasupphakorn pjn0211 at yahoo.com
Sat May 1 22:18:07 PDT 2004 

Hi Andrea E.

   From my understand if you'd like to ping from EXTERNAL ip
to EXTERNAL ip, the firewall is not involve because it will
reach each other directly. Could you confirm that you'd like 
to "ping from EXTERNAL ip to EXTERNAL ip" so someone can find
out the solution ?

Cheers,
pjn

 --- Supote Leelasupphakorn <pjn0211 at yahoo.com> wrote: > Hi,
> 
> I am a newbie and my question is very easy perhaps. I work
> with
> FreeBSD
> 5.2.1
> 
> I would like to configure a firewall with to interfaces (xl0 =
> LAN, xl1
> = External)
> 
> For NAT I have configured like discribed in the manualpage of
> natd:
> 
> ipfw -f flush
> ipfw add divert natd all from any to any via xl1
> ipfw add allow all from any to any
> 
> -> all is fine.
> 
> But, I wont so a simple firewall and for this reason, first I
> want to
> configure the ICMP-protocol:
> 
> ip_ext => External IP-Address
> 
> ipfw -f flush
> ipfw add divert natd all from any to any via xl1
> ipfw add allow icmp from $ip_ext to any icmptypes 8 out via
> xl1
> ipfw add allow icmp from any to $ip_ext icmptypes 0  in via
> xl1
> 
> -> It's not ok. With "ethereal" no pakets are going out (test
> from an
> other system, connected with a HUP.)
> 
> When testing "ping" from external to external IP-Adress of my
> firewall,
> the ARP-request: to broadcast Who has xxx.xxx.xxx.xxx? Tell
> xxx.xxx.xxx.xxx fails
> 
> -> seems to have a problem to let ARP through the firewall.
> 
> Above -> "ipfw add allow all from any to any" let ARP through
> the
> firewall. So I think, thats the configuration of the rest of
> my
> computer
> (like kernel, rc.conf, etc. ist ok)
> 
> And there are no ARP-protocol in /etc/protocols, so I don't
> know, what I
> can do now.
> 
> There is a bug:
> After restarting system with above configuration of
> icmp-protocol no
> ping-request is going out. After a flush of all rules and
> configuring of
> "ipfw add allow all from any to any" ping-request get an
> answer.
> Very interesting is to flush all rules und to configure the
> firewall
> like the first configuring (to allow special rules for
> icmp-protocol ->
> all works very fine. ping-request get an answer. Whenn
> restarting system
> the ping-request get no answer again, I mean, the ping-request
> is not
> send out.
> 
> Can anybody help me? Hope to get an answer.
> 
> I hope you can understand me, my English isn't very well.
> 
> Greatings from Berlin,
> 
> 	Andrea E.
> 
> 
>
________________________________________________________________________
> Yahoo! Messenger - Communicate instantly..."Ping" 
> your friends today! Download Messenger Now 
> http://uk.messenger.yahoo.com/download/index.html 

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

More information about the freebsd-ipfw mailing list