From owner-freebsd-questions@FreeBSD.ORG Thu Jan 22 10:24:28 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5BD516A4CE for ; Thu, 22 Jan 2004 10:24:28 -0800 (PST) Received: from priv-edtnes12-hme0.telusplanet.net (outbound03.telus.net [199.185.220.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F1DA43D1D for ; Thu, 22 Jan 2004 10:24:26 -0800 (PST) (envelope-from jearl@telus.net) Received: from [192.168.19.4] (really [142.179.173.206]) by priv-edtnes12-hme0.telusplanet.netESMTP <20040122182425.EAFY11801.priv-edtnes12-hme0.telusplanet.net@[192.168.19.4]>; Thu, 22 Jan 2004 11:24:25 -0700 From: James Earl To: Rishi Chopra In-Reply-To: <400FBA0B.5010606@cal.berkeley.edu> References: <400C44D8.6010408@cal.berkeley.edu> <1074547363.889.16.camel@work> <400CA94F.2040807@cal.berkeley.edu> <1074618156.8101.21.camel@work> <400FBA0B.5010606@cal.berkeley.edu> Content-Type: text/plain Message-Id: <1074795942.57363.79.camel@work> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Thu, 22 Jan 2004 11:25:42 -0700 Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Port Forwarding X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 18:24:28 -0000 If the variables for the 'SIMPLE' rules are setup properly, 'SIMPLE' should be no different than using 'OPEN' from your win2k's perspective. This is assuming you don't have a broken rc.firewall file. Looking at your original post, your sample was missing the 'onet' variable. # set these to your outside interface network and netmask and ip oif="rl0" onet="???.???.???.???" omask="255.255.255.0" <-- make sure this is right!!! oip="me" # set these to your inside interface network and netmask and ip iif="rl1" inet="192.168.0.1" imask="255.255.255.0" iip="192.168.0.1" Also, you shouldn't be using IPFIREWALL_DEFAULT_TO_ACCEPT in your kernel configuration. I use: options IPFIREWALL options IPFIREWALL_VERBOSE options IPDIVERT Also see IPFIREWALL_VERBOSE_LIMIT in the firewall section of the Handbook. IPFIREWALL_VERBOSE allows you to get helpfull information in /var/log/security. If you are having troubles with connectivity, look in /var/log/security to see if it shows what's being blocked and by what rule. Hope this helps. James On Thu, 2004-01-22 at 04:54, Rishi Chopra wrote: > James, > > I've configured my Win2k box to contact DNS directly, and both Direct > Connect and VNC Server are running smoothly (port forwarding is being > accomplished (per your suggestion) by natd.conf). > > I've set the firewall type to 'OPEN' (the Win2k client has ZoneAlarm > protection of its own); this is truly the only sticking point. I'm > under the impression that selecting 'SIMPLE' rather than 'OPEN' provides > an additional layer of protection to the gateway by preventing certain > spoofing attacks. Unfortunately, I seem unable to switch the firewall > type without crippling my Win2k box's functionality. Perhaps I'll give > it a go again sometime in the future. > > > Here's a copy of the relevant files: > > //natd.conf > > unregistered_only > interface rl0 > use_sockets > dynamic > redirect_port tcp 192.168.0.2:5800 5800 > redirect_port tcp 192.168.0.2:5900 5900 > redirect_port tcp 192.168.0.2:412 412 > redirect_port tcp 192.168.0.2:1412 1412 > punch_fw 2000:50 > > //rc.conf > > gateway_enable="YES" > hostname="usha.dyndns.org" > ifconfig_rl0="DHCP" > ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" > kern_securelevel_enable="NO" > firewall_enable="YES" > firewall_type="OPEN" > # firewall_type="SIMPLE" > firewall_quiet="NO" > natd_enable="YES" > natd_interface="rl0" > natd_flags="-f /etc/natd.conf" > linux_enable="YES" > sendmail_enable="NO" > sshd_enable="YES" > > -R