Question for ipf setting on single NIC box

Thomas Spreng spreng at socket.ch
Wed Sep 24 01:04:04 PDT 2003 

Hello,

On Wed, Sep 24, 2003 at 03:38:11PM +0800, Michael Lee(HINET) wrote:
> Hi all,
> 
> I only have a NIC on my FreeBSD Box.
> 
> Here is my configuration:
> ifconfig de0 aaa.bbb.ccc.ddd netmask 255.255.255.0 ( My External Interface )
> ifconfig de0_alias0 192.168.1.254 netmask 255.255.255.0 ( My Virtual
> Internal Interface )
 
beware...de_alias0 is not a network interface, its just an alias.

> and this is the result shown for ifconfig -L
> 
> de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet aaa.bbb.ccc.ddd netmask 0xffffff00 broadcast aaa.bbb.ccc.255
>         inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255
>         ether 00:80:c8:f6:7b:c7
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> 
> ( aaa.bbb.ccc.ddd is the static IP I got from the ISP )
> 
> Everything seems OK to me that the NIC binds the virtual IP.
> 
> The question is that while configuring ipf.rules and ipnat.rules
> ( Originally, I use tun0 as the external interface for ppp dialup.
> It is OK to set the ipf rules to block the incoming and outgoing packet
> through tun0. )
> But now I switched to static IP DSL and I failed to configure the de0 ( ext.
> if )
> while applying the following rules:
> 
> block in quick on de0 from 192.168.0.0/16 to any
> block out quick on de0 from 192.168.0.0/16 to any
 
this will block all traffic from your de0 alias ip to anywhere else and all
traffic from 192.168.0.0/16 to either your real inet address or to your
alias.

> After applying the above rules, ipf seems to block the packet on de0_alias0.
> DHCPD cannot even send out packet to the local subnet ( 192.168.1.0/24 )
> ( ipf block all traffic that should be block in the outside interface )

ipf is supposed to block that because you blocked all traffic from
192.168.0.0/16 which includes 192.168.1.0/24. The alias and the real
inet have the same interface name, that is 'de0'.
But can you tell me where that local subnet is attached if you only have
one nic in your box?
 
> I can only add pass in quick all and pass out quick all now or the traffic
> will be completely blocked .
> However, to add only pass in quick all and pass out quick all seems not a
> good idea for the firewall.
> 
> Is there anyway to solve the problem ? Or if I wrongly configure ipf ?

if you need more help, please tell exactly what and where do you want to
bock/allow the traffic and how your network layout looks like.

cheers,
	tom

More information about the freebsd-questions mailing list