ipfw with NAT and ARP
Charles Swiger
cswiger at mac.com
Thu Apr 29 13:44:15 PDT 2004
On Apr 29, 2004, at 5:30 PM, Andrea E. wrote:
[ ... ]
> But, I wont so a simple firewall and for this reason, first I want to
> configure the ICMP-protocol:
>
> ip_ext => External IP-Address
>
> ipfw -f flush
> ipfw add divert natd all from any to any via xl1
> ipfw add allow icmp from $ip_ext to any icmptypes 8 out via xl1
> ipfw add allow icmp from any to $ip_ext icmptypes 0 in via xl1
>
> -> It's not ok. With "ethereal" no pakets are going out (test from an
> other system, connected with a HUP.)
Add a "ipfw add deny log ip from any to any" and you will be able to
troubleshoot your own problems much more effectively by checking the
logging.
Most probably, you'll need to take into account that the IP addresses
of packets get re-written after being diverted to natd.
> When testing "ping" from external to external IP-Adress of my
> firewall, the ARP-request: to broadcast Who has xxx.xxx.xxx.xxx? Tell
> xxx.xxx.xxx.xxx fails
>
> -> seems to have a problem to let ARP through the firewall.
>
> Above -> "ipfw add allow all from any to any" let ARP through the
> firewall. So I think, thats the configuration of the rest of my
> computer (like kernel, rc.conf, etc. ist ok)
ARP traffic is subnet-local and is not passed through a routing device,
such as the NAT'ing firewall you are testing. If you want to pass
ARPs, consider using layer-2 bridging instead of layer-3 routing and
address translation.
> There is a bug:
> After restarting system with above configuration of icmp-protocol no
> ping-request is going out. After a flush of all rules and configuring
> of "ipfw add allow all from any to any" ping-request get an answer.
No bug. There are kernel options which control whether IPFW is
configured to pass or deny traffic by default. Consider adding:
options IPFIREWALL_DEFAULT_TO_ACCEPT
...to your kernel config and rebuilding the kernel.
--
-Chuck
PS: Cross-posting to multiple groups is better than posting a single
message twice, and posting just to -questions is usually enough...
More information about the freebsd-questions
mailing list