smithi at nimnet.asn.au
Sat Nov 24 06:46:18 PST 2007
On Sat, 24 Nov 2007, Alaor Barroso de Carvalho Neto wrote:
> 2007/11/24, Ian Smith <smithi at nimnet.asn.au>:
> > ipfw works fine too for these sorts of network policy separation :)
> So ipfilter is not recommended by you guyz?
No I didn't mean that; use your own favourite packet filter, any of them
can handle what you've described. Bill suggested pf - lots of people
seem to like it a lot - and I use ipfw because I (mostly) know how to.
> > I'm not saying this odd netmask explains your problem, nor that I fully
> > understand the effect of non-contiguous netmasks, but it's worth fixing.
> My fault again, the mask is 255.255.255.224, I messed up the things the 27
> come from XXX.XXX.XXX.XXX/27, you're right! But in the config file it's
Ok. Pasted output of 'ifconfig' and 'netstat -finet -nr' may help ..
it's easier to parse familiar machine output than textual descriptions.
> On which machine/s is NAT translation taking place? Eg if 10.10/16 were
> > allowed access to the internet via here, where would they get NAT'd to
> > the external IP?
> > Cheers, Ian
> > The ipfilter was nating, but I'm not sure about the NAT rules inside the
> config file, I must recheck it monday, I just tested the redirection rules,
> do you think this can be the problem?
Dunno. I'd just run tcpdump in a different terminal for each interface
and watch the traffic; what gets forwarded, or not, what gets translated
by NAT, or not. As you said, pings are a useful start, as can be adding
temporary firewall rules to log everything in and out per interface ..
I know next to nothing about routed(8) and RIP, nor why you might prefer
it to static and cloned routing, but taking it out of the mix might help
with debugging until your basic routing and filtering works right?
More information about the freebsd-questions