I am setting up a free bsd firewall, and I am having problems with the second nic. I am using 3com905's so the device names are xl0 and xl1
xl0 is set at a static ip address and it is working fine, I can ping out and ue the internet gateway and I can ping it from other computers.
Now on the second one I have it set to 192.168.1.1 I have it connected to a hub andthen I have another computer on that hub that has its ip address set to 192.168.1.2 with its gateway as 192.168.1.1
I am using ipfw and have recompiled the kernel to enable it and it looks like everything is working nat and the like, but I can't ping the 192.168.1.1 from the 192.168.1.2 and the 192.168.1.2 cannot access anything beyond its own subnet.
also I am not sure if I should be able to but I get an error tossed up when I try and ping either 192.168.1.1 or 192.168.1.2 the error is
ping: sendto: Permission denied
I am logged in as root while I am doing this.

I have a strange feeling like xl1 is not up or activated. I know that nic works though. I am sure there is some log or file or something I should post along with my problem but if you could tell me what to post that would help. thanks a bunch.

I was following the instruction here. http://www.lugbe.ch/lostfound/contrib/freebsd_router/
I followed everything upto the racoon and ipsec parts, I was told that you don't need to do the ipsec and racoon pars, maybe thats the problem. Do I need to have completed the install on racoon and ipsec?

IPFW is blocking it. If you get permission denied from that machine (the firewall) when you try to ping something on the internal network, then you haven't configured your firewall rules properly.

You don't need IPSec to have a firewall (raccon is an IPSec implementation), although it is nice for remote access. I would undo all the IPSec stuff (except the kernel drivers) and just concentrating on getting IPFW and NAT working, first.

Thats pretty much what I figured, thanks, I'll post the rules I have put into the rules section, also I notice something flash past me at boot up that lokos like the add rules are not being applied where is the log of the bootup stuff?

I am sure that what is happening is the ruleset I have is not being applied properly(errr at all).when I do ipfw list I get the following
65535 deny ip from any to any


I am sure its something I have done or not done.
the lines in my rc.conf are(minus the nic stuff etc)

gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/fw/rc.firewall.rules"
firewall_quiet="NO"
natd_enable="YES"
natd_interface="xl0"
natd_flags="-f /etc/fw/natd.conf"

the rc.firewall.rules file is formated like this

add 00100 allow ip from any to any via xl0
add 00110 deny ip from any to 127.0.0.0/8
add 00120 deny ip from any to any not verrevpath in
add 00301 deny ip from 10.0.0.0/8 to any in via xl0
add 00302 deny ip from 172.16.0.0/12 to any in via xl0
add 00303 deny ip from 192.168.0.0/16 to any in via xl0

I haven't included all the rules, as none are being applied I figure only a few rules should be a good enough example.

Any thoughts? Or could some one give me an example of what the rules file should look like.

doh, my mistake, I thought that when you called the firewall rules file the add command was sufficient, I have added the following into my rules file and it is all working just fine.

add="ipfw add"

and then I added a $ before each add in my rules

$add 00100 allow ip from any to any via lo0
$add 00110 deny ip from any to 127.0.0.0/8
$add 00120 deny ip from any to any not verrevpath in
$add 00301 deny ip from 10.0.0.0/8 to any in via ep0
$add 00302 deny ip from 172.16.0.0/12 to any in via ep0
$add 00303 deny ip from 192.168.0.0/16 to any in via ep0

and it works fine. silly me. I knew it was a dfo error.

Cool, the firewall rules I am using so far doesn't work. This thread is a good example. Thanks