I started with 2.0.5 and have worked my way up to 2.0.18 (19 had a problem
with modules which is another topic and 20 has not been tried).
BACKGROUND
-----------------------
My firewall machine is connected to my ISP via a PPP connection (just for
now). For the sake of the document (however not really) the gateway machine
is 151.51.25.126 (class C). The address that they assign my interface is
151.51.25.X (DHCP group). My Ethernet has an address of 192.168.250.0.
192.168.250.150 is my gateway. pppd is started with defaultroute so that
the default route for the gateway is ppp0. 198.168.250.153 is my host box.
>From the firewall, I can see the world and life is good. However, my ISP is
using IGRP which does me no good as far as routing goes (no RIP available)
and I am using the private networks as specified in the RFC, therefore,
masquerading is required. Thanks to all who saw the need for this and have
included it in the kernel.
ISSUES
--------------
(defaults for all filters are accept)
test1
-------
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
There are no errors in the command line.
This forwards the packet from localnet to ppp0 as is. No problem,
except that no router on 151.51.25.0 has a clue where 192.168.250.0 is. No
gated or routed does not fix it (see the notes above on IGRP). Therefore,
there is no return route. Not a problem with masquerading right? These
packets are visible with "tcpdump -i ppp0".
test 2
--------
ipfwadm -F -a accept -S 192.168.250.? -W ppp0 -m
There are no errors in the command line.
? is any number between 0 and 255. Please note, I have tried both 0
and a specific address like 153.
tcpdump shows me that packets are being received by the gateway (on
eth0) but there is no forwarding of the packets to ppp0 or lo ("tcpdump -i"
command verifies this). "ipfwadm -M -l" shows nothing in the masquerade
tables.
Changing the -W to -V and specifying the interface address makes no
difference.
test 3
--------
ipfwadm -F -a accept -S 192.168.250.? -V 151.51.25.# -m
There are no errors in the command line.
This works for any given value of # that is returned by pppd and for
any value of ? EXCEPT for 0 or 255. Here is an output of my "ipfwadm -F
-ln" command:
IP firewall forward rules, default policy: accept
type prot source destination ports
acc/m all 192.168.250.151 0.0.0.0/0 n/a
acc/m all 192.168.250.153 0.0.0.0/0 n/a
acc/m all 192.168.250.153 0.0.0.0/0 n/a
Please note that this is not reliable. 1 out of every 3 (random)
"shutdown -r now" attempts will not allow this to work.
Problems
-------------
1. Why does the forward gateway not allow any IP address on the net to be
passed unless they are specifically specified in the forward gateways list?
ie Why does the localnet not work as a parameter?
2. The documentation is not clear on the mask (that is why you do not see me
using it). Do I need 0.0.0.255 or 255.255.255.255.0 for all addresses on
192.168.250.0?
3. Why can I not specify -W with the command and have it work?
4. The flakiness of test 3 is a minor hassle. I am going to assume it is
in my software setup until I verify all software updates in the system and
then have understood Problems 1-3.
TIA