[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: what am i missing on my firewall?

To: "Misc @OpenBSD" <misc@openbsd.org>
Subject: RE: what am i missing on my firewall?
From: "McKevitt, Larry" <lmckevitt@hjth.com>
Date: Tue, 9 Jan 2001 13:12:51 -0800

OK, this worked.  AHHH!  Now for the ruleset.  And, I start the Devry
program in March (cobol, c, c++, blahblahblah).  Thanks for the help.  This
is a great group.
-Larry
> -----Original Message-----
> From:	Nick Holland [SMTP:nick@holland-consulting.net]
> Sent:	Tuesday, January 09, 2001 12:45 PM
> To:	McKevitt, Larry; Misc @OpenBSD
> Subject:	Re: what am i missing on my firewall?
> 
> comments within...
> 
> "McKevitt, Larry" wrote:
> > 
> > All:
> > I'm trying to set up a firewall that also routes.
> > So, from the 'doze box, the OBSD internal nic is the default gateway.
> OBSD
> > 2.8 i386.
> > My ipf.rules is "pass in from any to any", "pass out from any to any"
> and my
> > ipnat.rules is 
> 
> Two problems:
> <reformatted for readability>
> > map fxp0 172.16.1.1/16  -> 209.85.xxx.xxx/24 portmap tcp/udp 1000:60000
>                     ^                       ^^   
> > map fxp0 172.16.1.1/16  -> 209.85.xxx.xxx/24 
>                     ^                       ^^
> 
> I rather think what you want is something like:
> > map fxp0 172.16.0.0/16  -> 209.85.xxx.xxx/32 portmap tcp/udp 1000:60000
> > map fxp0 172.16.0.0/16  -> 209.85.xxx.xxx/32 
> 
> 172.16.1.1 is an address, not a subnet, so the /16 at the end is a
> problem, it should be the subnet you are wanting to use, I'm assuming
> 172.16.0.0/16.
> 
> You are NAT'ing to a single address (/32), not a subnet (/24), so the
> second error is also a problem.  I'm not entirely sure how IPNAT would
> respond to this, if it does anything productive at all, I'd assume
> that:
>   172.16.0.1  ->  209.85.xxx.xxx
>   172.16.0.2  ->  209.85.xxx.xxx+1
>   172.16.0.3  ->  209.85.xxx.xxx+2 
>     and so on.  Probably NOT what you want...how it would map a /16 to
> a /24, I have no idea...
> 
> > fxp0 is
> > the outside nic.
> > Once I reset my default gateway to my inside nic on the 'doze box, I
> lose
> > access to the world.  From the OBSD box, I can ping, telnet, etc..., so
> I
> > know I'm ok there.  Also, the rc.conf and sysctl.conf are set up
> properly.
> 
> Guess we have to take your word on rc.conf and sysctl.conf...but both
> will do nasty things to you if not really set up properly.  
> 
> > Do I need gated running?  
> 
> No.
> 
> > When I do try to access the Internet from the
> > 'doze box, I do see the natting taking place with "ipnat -l", but the
> web
> > pages don't come thru.  TIA.
> >
> > -larry-
> > 
> > ps:  anyone know anyone who went to devry?  just wondering.  thanks.
> 
> -- 
> http://www.holland-consulting.net/

Prev by Date: Re: G4 Cube Install: mount_msdos fails at end
Next by Date: Re: problem with isakmpd with certs
Prev by thread: Re: what am i missing on my firewall?
Next by thread: sendmail and 2.8 to current
Index(es):
- Date
- Thread