From owner-freebsd-questions@FreeBSD.ORG Tue Mar 30 00:16:10 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E07F816A4CE for ; Tue, 30 Mar 2004 00:16:10 -0800 (PST) Received: from smtp.mailbox.co.uk (smtp.mailbox.net.uk [195.82.125.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E0A943D53 for ; Tue, 30 Mar 2004 00:16:10 -0800 (PST) (envelope-from waynep@smtp.penguinpowered.org) Received: from core.penguinpowered.org ([212.18.250.170] helo=smtp.penguinpowered.org) by smtp.mailbox.co.uk with esmtp (Exim 4.30) id 1B8EPp-0007hZ-LJ; Tue, 30 Mar 2004 09:16:09 +0100 Received: from waynep by smtp.penguinpowered.org with local (Exim 4.30; FreeBSD) id 1B8EPU-0008H1-RT; Tue, 30 Mar 2004 09:15:48 +0100 Date: Tue, 30 Mar 2004 09:15:48 +0100 From: Wayne Pascoe To: Odhiambo Washington , FBSD-Q Message-ID: <20040330081548.GB26996@marvin.penguinpowered.org> References: <20040330080616.GD62890@ns2.wananchi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040330080616.GD62890@ns2.wananchi.com> User-Agent: Mutt/1.4.2.1i X-System: FreeBSD i386 with kernel 5.2.1-RELEASE-p3 Sender: Wayne Pascoe Subject: Re: Using IPFW/NAT with multiport PCI cards X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2004 08:16:11 -0000 On Tue, Mar 30, 2004 at 11:06:16AM +0300, Odhiambo Washington wrote: > Now my only problem is that I have played a little with ipfw in a > situation where I have just two interfaces, 1 external and 1 internal. > My current requirement however involves one external interface and > four (or more) internal interfaces (which should all be SEPARATE > networks, invisible from each other). > > Is this doable? (I hope someone has done this before). I would say I am > a total newbie on this one. Not only is it doable, it's fairly trivial if you've done a 1 in, 1 out ipfw firewall before. You just take that idea and grow it a little. > 2. Guides/Pointers on HOWTO configure this WRT to ipfw configuration. > Any minute gotchas/clues will be highly appreciated. URL links > pointing to people's experiences also welcome. Just set the firewall to deny by default and add your rules really... Here's an example that would allow FTP to one network and HTTP to another... ${fwcmd} add allow tcp from any to 192.168.1.0/24 80 tcpflags syn keep-state in via xl0 ${fwcmd} add allow tcp from any to 192.168.2.0/24 21 tcpflags syn keep-state in via xl0 You can also have rules between your networks as well... This one allows all machines on one of the protected networks to ssh to all machines in the other network. ${fwcmd} add allow tcp from 192.168.1.0/24 to 192.168.2.0/24 22 tcpflags syn keep-state in via xl1 Note the following things about this rule... 1. I've specified a source range to allow. 2. I've used a different interface. This guarantees that this traffic isn't coming in via the main external interface, but that it is coming in on one of the protected interfaces. Of course, everywhere I've used an entire range here, you could use a single IP range. Combining IP addresses with via interface statements lets you be pretty flexible :) Hope this helps some ? -- Wayne Pascoe BSD is for people who love UNIX; Linux is for people who hate Windows