--- Steve Bertrand <[EMAIL PROTECTED]> wrote: Gardner Bell wrote: > Hi all, > > I've been following the IPFW section in the handbook and /etc/rc.firewall to try and setup a gateway for my home LAN but I'm having a bit of trouble getting access to the internet. My network setup looks like so. > > 192.168.x.x bge1 - 192.168.x.x bge0 x.x.x.x > --LAN------------Switch---------FreeBSD-------------------------------ISP > > Bge0 successfully receives an IP from my ISP's DHCP server and I can ping the LAN without any issues. When it comes to accessing the internet I get a hostname lookup failure. > > Any help resolving this is greatly appreciated. > > > Gardner > > mx1# ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from 192.168.1.0/24 to any in via bge0 > 00500 deny log logamount 3 ip from x.x.x.x/25 to any in via bge1 > 00600 deny ip from any to 10.0.0.0/8 via bge0 > 00700 deny ip from any to 172.16.0.0/12 via bge0 > 00800 deny ip from any to 192.168.0.0/16 via bge0 > 00900 deny ip from any to 0.0.0.0/8 via bge0 > 01000 deny ip from any to 169.254.0.0/16 via bge0 > 01100 deny ip from any to 192.0.2.0/24 via bge0 > 01200 deny ip from any to 224.0.0.0/4 via bge0 > 01300 deny ip from any to 240.0.0.0/4 via bge0 > > 01400 divert 8668 ip from any to any in via bge0 > > What happens if you switch the above line to bge1, as opposed to bge0?
I am able to ping the internet if I change my divert rule to bge1 but lose any connectivity to the LAN. I can only ping 192.168.1.1 ie: bge1 > I haven't used natd in a couple years, but from what I can tell, you are > trying to divert packets that are inbound from the Internet, as opposed > to diverting packets from the LAN. Ok..I was pretty sure that natd_interface had to be set to the nic facing the internet as the manual and /etc/defaults/rc.conf mention. > > What does /etc/natd.conf state? Don't have an /etc/natd.conf as of yet but I'm using -deny_incoming in natd_flags. The natd command shows: /sbin/natd -deny_incoming -dynamic -n bge0 > If the above does not work, perhaps you could start with a minimalistic > ruleset, having only allow rules, and then a blanket rule to deny at the > bottom? I'll give that a try. > Steve Gardner ps: I'm not subscribed to the list..hope I didn't munge the quotes up too bad. _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
