IPFW Kicking my butt.

IPFW Kicking my butt.

Post by Tim Matthew » Wed, 25 Nov 1998 04:00:00



Hello all,
    I have a FreeBSD 2.2.7 box that I want to act as a firewall. I have
gone through all the man pages and websites that I could, but I can't
find anything that answers my question. First off, I have recompiled the
kernel with IP_FIREWALL and IP_DIVERT (although I don't wish to use
network address translation - natd) and set everything in rc.conf as (I
think) it should be. I have firewall_type="OPEN" for testing. I have
added the rule ipfw add 50 allow ip from any to any.

My configuration:
    I have half a class-C. The lower 64 addresses will be the outside
address, the upper 64 will be the inside addresses (The following are
not the real addresses). The cisco is plugged into fxp0, my inside
network is plugged into fxp1

    (1)   210.153.7.129 netmask 255.255.255.128 - my cisco router
    (2)   210.153.7.130 netmask 255.255.255.64 - fxp0
    (3)   210.153.7.192 netmask 255.255.255.64 - fxp1
    (4)   210.153.7.193 netmask 255.255.255.64 - an internal computer

My Problem:
    I can ping (2) and (3) from (4), but I can't ping the router or
anything on the net from (4). I can ping (1) and (2) from outside, but
not (3) or (4). I can ping anywhere from the BSD box. I have tried and
tried, but I can't get this to work. If anyone can share a little
insight, I would be grateful.

 
 
 

IPFW Kicking my butt.

Post by Timothy J. L » Thu, 26 Nov 1998 04:00:00


|My Problem:
|    I can ping (2) and (3) from (4), but I can't ping the router or
|anything on the net from (4). I can ping (1) and (2) from outside, but
|not (3) or (4). I can ping anywhere from the BSD box. I have tried and
|tried, but I can't get this to work. If anyone can share a little
|insight, I would be grateful.

Have you tried looking in the ipfw logs to see if any packets that
you want to let through are being denied and logged?

--
------------------------------------------------------------------------

Unsolicited bulk or commercial email is not welcome.             netcom.com
No warranty of any kind is provided with this message.

 
 
 

IPFW Kicking my butt.

Post by Wilhelm Rud » Sun, 29 Nov 1998 04:00:00



>    I have half a class-C. The lower 64 addresses will be the outside
>address, the upper 64 will be the inside addresses (The following are
>not the real addresses). The cisco is plugged into fxp0, my inside
>network is plugged into fxp1

>    (1)   210.153.7.129 netmask 255.255.255.128 - my cisco router
>    (2)   210.153.7.130 netmask 255.255.255.64 - fxp0
>    (3)   210.153.7.192 netmask 255.255.255.64 - fxp1
>    (4)   210.153.7.193 netmask 255.255.255.64 - an internal computer

I may be totally off-track, here, but don't you want a netmask of
255.255.255.192 on (1) - (3)?  You're dividing the upper half of a
class-C address into 2 64-address blocks, so each block should have
the first 2 bits on the last quad set to 1, and the remainder to 0,
for a netmask.  Right now, the last quad looks like 01000000, which
appears to say that the second bit should be understood as a network
bit, but the first bit is a host bit.  Given that the network bits
always precede the host bits (which they might not, for all I know),
it's reasonable that this would confuse a router.

WR

 
 
 

1. Grep command kicking my butt

Having a real problem with grep/ereg:

I have a bunch of HTML files I need to search through using the grep
statement. Inside these files, I've made myself an <INPUT
TYPE="HIDDEN"> tag that contains in the value attribute a list of
comma-delimited numbers, one for each file, no more, no less. I need
to find if a certain
number is in these tags (and each file contains one tag). I need a
grep statement that will let me search these lines to see if a number
exists, obviously in the beginning or the end or the middle or if it's
the
only number in the list. So, say I need #1, I need to grep each file
to find if 1 is in its INPUT TYPE="HIDDEN" list. But if it's 1, it
can't return a list with only 451, so I have to check if there is a
comma on either side, or a quotation mark on either side, or a comma
and a quotation mark... Get what I'm saying? Here are some example
tags to test for #1:

<INPUT TYPE = "HIDDEN" NAME = "numbers" VALUE = "1,2,3,4,5">  
//beginning
<INPUT TYPE = "HIDDEN" NAME = "numbers" VALUE = "0,1,2,3,4,5">  
//middle
<INPUT TYPE = "HIDDEN" NAME = "numbers" VALUE = "5,4,3,2,1">   //end
<INPUT TYPE = "HIDDEN" NAME = "numbers" VALUE = "1">  //only
<INPUT TYPE = "HIDDEN" NAME = "numbers" VALUE = "411">  //don't return
this
<INPUT TYPE = "HIDDEN" NAME = "numbers" VALUE = "322,411">  //don't
return this
<INPUT TYPE = "HIDDEN" NAME = "numbers" VALUE = "1,411">  //return
this

Does anybody have a solution? I *know* it's possible, but I can't get
it
and I've been working on it for days now. This is one of those really
annoying bugs that really grates on a programmer. The command I have
so far is:

grep '^<INPUT TYPE = \"HIDDEN\" NAME = \"characters\" VALUE = \"" .
"[[:digit:]+,]*" . "$number" . "[,[:digit:]+]*" . "\">' *.html

This doesn't work, though, because it assumes that the [:digit:] and
comma can be in any order, so it doesn't matter that, if it finds any
numbers before or after the number I'm searching for, that there is a
comma in the appropriate place.

2. Is this a virtual memory problem?

3. Want to build a "butt kicking" platform

4. C99 initializers for sound/pci files

5. LINUX KICKS BUTT!!!!

6. Is there a MAN->PS/ASCII/HTML translator????

7. SuSe 6.3 - Installing 2 nic cards as modules upon boot up is kicking my butt

8. SAMBA question

9. SUN kicks Linux butt

10. NIS+ kicking my butt...

11. Lindows Kicked MS's BUTT!

12. network internt access. I need a kick in the butt!

13. installing linux...gcc is kickin my butt