Question for ipf setting on single NIC box
Michael Lee(HINET)
kuniaki.lee at msa.hinet.net
Wed Sep 24 00:38:15 PDT 2003
Hi all,
I only have a NIC on my FreeBSD Box.
Here is my configuration:
ifconfig de0 aaa.bbb.ccc.ddd netmask 255.255.255.0 ( My External Interface )
ifconfig de0_alias0 192.168.1.254 netmask 255.255.255.0 ( My Virtual
Internal Interface )
and this is the result shown for ifconfig -L
de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet aaa.bbb.ccc.ddd netmask 0xffffff00 broadcast aaa.bbb.ccc.255
inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:80:c8:f6:7b:c7
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
( aaa.bbb.ccc.ddd is the static IP I got from the ISP )
Everything seems OK to me that the NIC binds the virtual IP.
The question is that while configuring ipf.rules and ipnat.rules
( Originally, I use tun0 as the external interface for ppp dialup.
It is OK to set the ipf rules to block the incoming and outgoing packet
through tun0. )
But now I switched to static IP DSL and I failed to configure the de0 ( ext.
if )
while applying the following rules:
block in quick on de0 from 192.168.0.0/16 to any
block out quick on de0 from 192.168.0.0/16 to any
After applying the above rules, ipf seems to block the packet on de0_alias0.
DHCPD cannot even send out packet to the local subnet ( 192.168.1.0/24 )
( ipf block all traffic that should be block in the outside interface )
I can only add pass in quick all and pass out quick all now or the traffic
will be completely blocked .
However, to add only pass in quick all and pass out quick all seems not a
good idea for the firewall.
Is there anyway to solve the problem ? Or if I wrongly configure ipf ?
Thank you!
Michael Lee
More information about the freebsd-questions
mailing list