geekvenue.net

Welcome to Chucktips Hardware HELP WITH DEAD OS Installing FreeBSD Miscellaneous
 faq
 search
 add article
 cool-stuff
 how-to
 main
 tips
 parent
 thread


Re: IPFilter on FreeBSD 4.6-STABLE
by Coercitas on Thursday January 22, @08:23AM
Actually, your problem was your ipnat rules. You just asked IPF to map your internal LAN with any possible address in the XXX.224.XXX.XXX/29 subnet, which won't work.

Imagine XXX.224.XXX.XXX/29 stands for 80.224.128.0/29; then ipnat would map your internal LAN with any possible address from 80.224.128.1 to 80.224.128.6 (80.224.128.7 means BROADCAST and thus, cannot be applied). Problem is you only are reachable with one of those addresses (or your ISP gave you this whole pool of addresses and something else have to be done on your IPF box to accept this). Pretty sure the first (or last, depends on your ISP) address in this subnet is ISP's side so this address can't be used (but ipnat may use it since you allowed it to do so) and other addresses have to exist...if you only have one of these (you can set up many addresses on one NIC) configured on your side, no one could reach others (since they don't even exist actually).

The "map fxp0 0/0 -> 0/32" statement means "change
anything that go out on interface fxp0 with my real fxp0's address".
The "map fxp0 10.0.0.0/24 -> 0/32" command means "change anything going out on interface fxp0 with source address in the 10.0.0.0/24 subnet with my real fxp0's address"

So yes, it does matter you are in a 29 bit subnet, you have to really understand how things work with TCP/IP subnetting before going any further or you may shoot yourself in the foot and get some serious headhache.

If you only own a single address in the XXX.224.XXX.XXX/29 subnet, then you must use the "0/32" statement. If you own all this subnet (but the ISP router one) you can use them to set up a DMZ and put there some servers of your choice...or anything else you prefer.


Hope this helped a bit.
Add Reply

If this is a genuine post please ignore this field:

Name
Email
Notify Notify me via email of responses to this message
Title
Comment
(Check those URLs! Don't forget the http://!)
Encoding
If none of the above mean anything to you, select 'Plain'!
Attachment
(You can attach a file to your reply which can then be retrieved by other readers.
Try to keep the file sizes below 500Kb in order to conserve network and server resources.)
Allowed HTML <B> <I> <P> <A> <LI> <OL> <UL> <EM> <BR> <TT> <HR> <STRONG> <BLOCKQUOTE> <DIV .*> <DIV> <P .*>
Important Stuff:
  • Note: Fields with bold titles are required.
  • Please try to keep posts on topic.
  • Try to reply to other people comments instead of starting new threads,
  • Read other people's messages before posting your own to avoid simply duplicating what has already been said.
  • Use a clear subject that describes what your message is about.
  • Please do not post offtopic, inflammatory, inappropriate, illegal, or offensive comments. Repeat offenders will be sanctioned.
    • "You never know how many friends you have until you own a Condo on the beach." -- Jason's Postulate

    Powered by Zope  Powered by Apache  Squishdot Powered
    All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest ©2001 Jason Neumann.
    [ main | post article | search ]