On Fri, 23 Nov 2007 12:33:26 -0200 "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > 2007/11/23, Bill Moran <[EMAIL PROTECTED]>: > > > > "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote:
[..] > > > > > em0 external world XXX.XXX.XXX.XXX > > > > > rl0 adm 192.168.1.80 > > > > > rl1 acad 192.168.2.90 > > > > > rl3 database 10.10.0.50 > > > > > > > > > > They are all separated networks. What I want: 192.168.2 should only > > > > > access > > > > > the internet, shouldn't have access to 192.168.1 or 10.10/16. > > > > > 192.168.1should access the internet and > > > > > 10.10/16, but shouldn't access the academic network. 10.10/16 should > > > > > access > > > > > only the 192.168.1 network, but it's not a problem if they had > > > > > access to > > > > > internet too. > > > > > > > > > > How I would set up my rc.conf with my static routes? > > > > > > > > This is beyond the scope of routing. You'll need to install a packet > > > > filter. The best at this time is probably pf: ipfw works fine too for these sorts of network policy separation :) > > > Yes, I have IPFIlTER installed, but if I would want to everybody ping to > > > everybody and then block the things in the firewall, it isn't about > > > routes? > > > because neighter of my networks are pinging to any other right now. By > > > ping > > > I mean have access. I thought it would have something to do with setting > > > routes. BTW, my ipfilter now just pass everything because I'm building > > > the > > > server, but I already have a config file with the blocks that I would > > > apply. > > > > That's a completely different scenario than the one you described in > > your previous message. > > > > Do you have gatetway_enable="YES" in /etc/rc.conf? > > > > -- > > Bill Moran > > http://www.potentialtech.com Just to add a couple of points to what Bill's pursuing here: > Yeah, I know, I was trying to make it work with only adm and external, but > the real scenario I have is this. Yes I have this line, my rc.conf is like > this: > [...] > gateway_enable="yes" > defaultrouter="XXX.XXX.XXX.158" (the external ip) > ifconfig_em0="inet XXX.XXX.XXX.130 netmask 255.255.255.227" If that wasn't a typo, this is a non-contiguous netmask. I suspect you want 255.255.255.224, assuming the default router is in the same subnet? Specifying CIDR notation with route and ifconfig can make netmask fatfingering a bit less likely (eg here XXX.XXX.XXX.130/27) I'm not saying this odd netmask explains your problem, nor that I fully understand the effect of non-contiguous netmasks, but it's worth fixing. > ifconfig_rl0="inet 192.168.1.80 netmask 255.255.255.0" > ifconfig_rl1="inet 192.168.2.90 netmask 255.255.255.0" > ifconfig_rl2="inet 10.10.0.50 netmask 255.255.0.0" > [...] On which machine/s is NAT translation taking place? Eg if 10.10/16 were allowed access to the internet via here, where would they get NAT'd to the external IP? Cheers, Ian _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
