From owner-freebsd-ipfw Tue Mar 28 20:18:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 605BD37B5BB; Tue, 28 Mar 2000 20:18:27 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA39264; Tue, 28 Mar 2000 20:18:26 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 28 Mar 2000 20:18:25 -0800 (PST) From: Kris Kennaway To: Chuck Rock Cc: "'Freebsd-Ipfw" Subject: Re: blocking web access selectively using ipfw? In-Reply-To: <003101bf95e2$2f8ed2e0$0200000a@epconline.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 24 Mar 2000, Chuck Rock wrote: > We're running multiple FreeBSD boxes as firewall/proxy solutions for some of > our customers. I would like to know if there's a way to block web traffic > from one interface to the other using a web address rather than IP? I didn't > want to run Squid and try and set up that way if possible. ipfw doesnt know what DNS name the http request was made under..it only knows about the IP address. This is something your web server (if you're serving up pages) or http proxy (for outgoing web requests) would have to take care of via an appropriate ACL on who can access what. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 29 6:28:42 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id EAA2437B73B for ; Wed, 29 Mar 2000 06:28:39 -0800 (PST) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id IAA68375 for ; Wed, 29 Mar 2000 08:28:37 -0600 (CST) (envelope-from dmartin@origen.com) Message-ID: <38E212EC.F0B7835@origen.com> Date: Wed, 29 Mar 2000 08:27:56 -0600 From: Richard Martin X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: NATD Translation Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am using F'BSD 3.4-STABLE as a firewall and NATD to masquerade an internal network behind it. Everything is working well, with the exception of reply packets arriving back at the BSD box with addresses in the internal network. Example: Mar 28 20:04:37 horizon /kernel: ipfw: 700 Deny UDP 216.30.99.2:53 192.168.0.5:1219 in via xl0 Mar 28 20:20:36 horizon /kernel: ipfw: 700 Deny TCP 216.30.99.7:20 192.168.0.5:1272 in via xl0 The above replies to DNS and FTP requests hit the early private network filtering rule. It seems to function perfectly otherwise, and I can't locate a setting that would change this. Have I overlooked something? -- Richard Martin dmartin@origen.com OriGen, inc. Tel: +1 512 474 7278 2525 Hartford Rd. Austin, TX 78703 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 29 7: 1:37 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from gemini.bnc.net (gemini.bnc.net [195.247.233.33]) by hub.freebsd.org (Postfix) with ESMTP id EFF5E37B6B9 for ; Wed, 29 Mar 2000 07:01:21 -0800 (PST) (envelope-from ap@bnc.net) Received: (from ap@localhost) by gemini.bnc.net (8.9.3/8.9.3) id RAA54580; Wed, 29 Mar 2000 17:00:20 +0200 (CEST) (envelope-from ap) Date: Wed, 29 Mar 2000 17:00:20 +0200 From: Achim Patzner To: Richard Martin Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: NATD Translation Message-ID: <20000329170020.G35693@bnc.net> References: <38E212EC.F0B7835@origen.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38E212EC.F0B7835@origen.com>; from dmartin@origen.com on Wed, Mar 29, 2000 at 08:27:56AM -0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Mar 29, 2000 at 08:27:56AM -0600, Richard Martin wrote: > I am using F'BSD 3.4-STABLE as a firewall and NATD to masquerade an internal [...] > Have I overlooked something? Yes: Adding the config files to get a reasonable answer from us. Achim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 29 7:17:33 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id 3303F37C0C5 for ; Wed, 29 Mar 2000 07:17:28 -0800 (PST) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id JAA81029; Wed, 29 Mar 2000 09:16:57 -0600 (CST) (envelope-from dmartin@origen.com) Message-ID: <38E21E40.2FA2352A@origen.com> Date: Wed, 29 Mar 2000 09:16:16 -0600 From: Richard Martin X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Achim Patzner Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: NATD Translation References: <38E212EC.F0B7835@origen.com> <20000329170020.G35693@bnc.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Achim Patzner wrote: > > On Wed, Mar 29, 2000 at 08:27:56AM -0600, Richard Martin wrote: > > I am using F'BSD 3.4-STABLE as a firewall and NATD to masquerade an internal > [...] > > Have I overlooked something? > > Yes: Adding the config files to get a reasonable answer from us. Whoops, I thought I pasted that in. Here is the network portion: hostname="horizon.formed.net" network_interfaces="vx0 xl0 lo0" ifconfig_vx0="inet 192.168.0.1 netmask 255.255.255.0" ifconfig_xl0="inet 216.80.68.30 netmask 255.255.255.128" defaultrouter="216.80.68.1" gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="custom" natd_enable="YES" natd_interface="xl0" named_enable="YES" portmap_enable="NO" nfs_client_enable="NO" nfs_server_enable="NO" thanks for your help -- Richard Martin dmartin@origen.com OriGen, inc. Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 http://www.formed.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 29 7:56:44 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from lunatic.oneinsane.net (lunatic.oneinsane.net [207.113.133.231]) by hub.freebsd.org (Postfix) with ESMTP id 1B32137C107 for ; Wed, 29 Mar 2000 07:56:41 -0800 (PST) (envelope-from insane@lunatic.oneinsane.net) Received: by lunatic.oneinsane.net (Postfix, from userid 1000) id B762F1A7; Wed, 29 Mar 2000 07:56:34 -0800 (PST) Date: Wed, 29 Mar 2000 07:56:34 -0800 From: Ron 'The InSaNe One' Rosson To: freebsd-ipfw@freebsd.org Subject: Selective access Message-ID: <20000329075634.A52161@lunatic.oneinsane.net> Reply-To: Ron Rosson Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i X-Operating-System: FreeBSD lunatic.oneinsane.net 3.4-STABLE X-Moon: The Moon is Waning Crescent (35% of Full) X-Opinion: What you read here is my IMHO X-Disclaimer: I am a firm believer in RTFM X-WWW: http://www.oneinsane.net X-PGP-KEY: http://www.oneinsane.net/~insane/insane2-pgp5i.txt X-Uptime: 7:51AM up 6 days, 9:44, 1 user, load averages: 0.16, 0.19, 0.08 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, I have setup a FreeBSD Server to perform NAT using IPFilter and IPNAT. Basically it is something like this: vr0 -------> Real Internet IP vr1 -------> 192.168.0/24 The network portion of vr1 is where I am having issues. I would like to set it up so that the lower 128 have full access thru the NAT and the upper portion of the address space only be able to use email. vr1 = 192.168.0.0 netmask 255.255.255.128 Full Access to the net 192.168.0.128 netmask 255.255.255.128 Email access only The NAT server also doubles as the Email server. IF anyone has done this or has an idea how it can be done without adding another NIC. I would like to hear from ya. ;-) TIA -- ------------------------------------------------------------------- Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------- I can only please one person per day. Today is not YOUR day. Tomorrow doesn't look too good either. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 29 8:14:38 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from home.offwhite.net (home.offwhite.net [156.46.35.30]) by hub.freebsd.org (Postfix) with ESMTP id 26F1837B619 for ; Wed, 29 Mar 2000 08:14:32 -0800 (PST) (envelope-from brennan@offwhite.net) Received: from localhost (brennan@localhost) by home.offwhite.net (8.9.1/8.9.3) with ESMTP id KAA72677; Wed, 29 Mar 2000 10:14:11 -0600 (CST) Date: Wed, 29 Mar 2000 10:14:11 -0600 (CST) From: Brennan W Stehling To: Richard Martin Cc: Achim Patzner , freebsd-ipfw@FreeBSD.ORG Subject: Re: NATD Translation In-Reply-To: <38E21E40.2FA2352A@origen.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have FreeBSD 3.4 set up on my home network to translate my LAN address through to the single IP I have for my DSL connection. It was really simple for me to set up and you may find it helpful. First I compiled the kernel with additional options for the IP filtering and firewall turned on. They are... options IPDIVERT #divert sockets options IPFILTER #kernel ipfilter support options IPFILTER_LOG #ipfilter logging options IPSTEALTH #support for stealth forwarding That allowed me to start using ipnat with kernel support. I tried to use natd by itself but that was not working despite much effort. The program ipnat does all the work apparently so I decided to use that. Next I added one line to /etc/rc.conf firewall=open That opens up the firewall but I believe it still offers me protection. It does not matter too much to me since I am only using iptnat to translate internal addresses. I will have to read more about it to know for sure. Then I set up a config file at /etc/natrules. I chose 192.168.1.* as my home IP block. map xl1 192.168.1.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:65000 map xl1 192.168.1.0/16 -> 0.0.0.0/32 That sets all the translation mapping. (There is documentation at the end of this email.) Finally I set up a startup script at /usr/local/etc/rc.d/ipnat.sh #!/bin/sh ipnat -f /etc/natrules Once you have it configured correctly you can run this startup script and try it out. It worked right away for me. A few things you may need to know in addition to this is how to get the internal network to run. I had some problems but luckily worked them out pretty quick. My outside gateway and subnet have one setting while my internal network must use my internal server. So I have two ethernet cards, one running the outside connection and one for the internal network and connected to my 8 port hub. My two nic cards are xl0 and xl1. Here is some ifconfig output. xl0: flags=8843 mtu 1500 inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 xl1: flags=8843 mtu 1500 inet 216.127.196.249 netmask 0xffffff00 broadcast 216.127.196.255 And from the home network I set my router to 192.168.1.2 and my address to anything else in the 192.168.1.* ip block. For more help you can look here... http://www.freebsddiary.org/ipfilter334.html http://www.freebsddiary.org/ipnat.html http://www.freebsdzine.org/attic/199901/ipfilter.txt I hope this info helps. Let me know how it goes. Brennan Stehling - web developer and sys admin projects: www.onmilwaukee.com | www.sncalumni.com fortune: Make it myself? But I'm a physical organic chemist! On Wed, 29 Mar 2000, Richard Martin wrote: > > > Achim Patzner wrote: > > > > On Wed, Mar 29, 2000 at 08:27:56AM -0600, Richard Martin wrote: > > > I am using F'BSD 3.4-STABLE as a firewall and NATD to masquerade an internal > > [...] > > > Have I overlooked something? > > > > Yes: Adding the config files to get a reasonable answer from us. > > Whoops, I thought I pasted that in. Here is the network portion: > > hostname="horizon.formed.net" > network_interfaces="vx0 xl0 lo0" > ifconfig_vx0="inet 192.168.0.1 netmask 255.255.255.0" > ifconfig_xl0="inet 216.80.68.30 netmask 255.255.255.128" > defaultrouter="216.80.68.1" > gateway_enable="YES" > > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="custom" > > natd_enable="YES" > natd_interface="xl0" > > named_enable="YES" > portmap_enable="NO" > nfs_client_enable="NO" > nfs_server_enable="NO" > > > thanks for your help > > -- > Richard Martin dmartin@origen.com > > OriGen, inc. Tel: +1 512 474 7278 > 2525 Hartford Rd. Fax: +1 512 708 8522 > Austin, TX 78703 http://www.formed.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 29 8:31:34 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from home.offwhite.net (home.offwhite.net [156.46.35.30]) by hub.freebsd.org (Postfix) with ESMTP id C0BD037BD8D for ; Wed, 29 Mar 2000 08:31:29 -0800 (PST) (envelope-from brennan@offwhite.net) Received: from localhost (brennan@localhost) by home.offwhite.net (8.9.1/8.9.3) with ESMTP id KAA72712; Wed, 29 Mar 2000 10:31:24 -0600 (CST) Date: Wed, 29 Mar 2000 10:31:24 -0600 (CST) From: Brennan W Stehling To: Richard Martin Cc: Achim Patzner , freebsd-ipfw@FreeBSD.ORG Subject: Re: NATD Translation In-Reply-To: <38E21E40.2FA2352A@origen.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have a correction to my last comment. I looked up the rc.conf setting for firewall=open and I think you can ignore it. It appears that I actually am using the wrong variable name. In the LINT kernel example config file you will find and explanation for it. Here is it. # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open # in /etc/rc.conf when first enabling this feature, then refining the # firewall rules in /etc/rc.firewall after you've tested that the new kernel # feature works properly. I must have had a typo when setting this up but it still worked. I was just being cautious without any real good reason. I am guessing that /etc/rc.firewall set up the rules just right for me so that it would work. Since it worked for me right away I did not spend any more time with it. I am now trying to learn more about it now. Brennan Stehling - web developer and sys admin projects: www.onmilwaukee.com | www.sncalumni.com fortune: Eggheads unite! You have nothing to lose but your yolks. -- Adlai Stevenson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 29 15: 5:38 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns.itga.com.au (ns.itga.com.au [202.53.40.210]) by hub.freebsd.org (Postfix) with ESMTP id 84B5C37B9B1 for ; Wed, 29 Mar 2000 15:05:13 -0800 (PST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id JAA24388; Thu, 30 Mar 2000 09:05:09 +1000 (EST) (envelope-from gnb@itga.com.au) Received: from itga.com.au (lightning.itga.com.au [192.168.71.20]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id JAA29398; Thu, 30 Mar 2000 09:05:09 +1000 (EST) Message-Id: <200003292305.JAA29398@lightning.itga.com.au> X-Mailer: exmh version 2.0.1 12/23/97 From: Gregory Bond To: Richard Martin Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: NATD Translation In-reply-to: Your message of Wed, 29 Mar 2000 08:27:56 -0600. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Mar 2000 09:05:08 +1000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Have I overlooked something? Bet you're using the "simple" fw config. It don't work with NATD. Check PR#conf/13769 (http://www.freebsd.org/cgi/query-pr.cgi?pr=13769) for a fix for this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 1 11:59:24 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from praseodumium.btinternet.com (praseodumium.btinternet.com [194.73.73.82]) by hub.freebsd.org (Postfix) with ESMTP id 6E3F337B664 for ; Sat, 1 Apr 2000 11:59:20 -0800 (PST) (envelope-from astrolox@innocent.com) Received: from [213.1.118.12] (helo=faith) by ruthenium.btinternet.com with smtp (Exim 2.05 #1) id 12bPIm-00061z-00 for freebsd-ipfw@FreeBSD.ORG; Sat, 1 Apr 2000 15:55:05 +0100 Message-Id: <3.0.3.32.20000401165224.00a01dc0@mail.virgin.net> X-Sender: brian.wojtczak@mail.virgin.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Sat, 01 Apr 2000 16:52:24 +0100 To: freebsd-ipfw@FreeBSD.ORG From: Brian 'Astrolox' Wojtczak Subject: Re: NATD Translation In-Reply-To: References: <38E21E40.2FA2352A@origen.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >I have a correction to my last comment. > >I looked up the rc.conf setting for firewall=open and I think you can >ignore it. It appears that I actually am using the wrong variable name. >In the LINT kernel example config file you will find and explanation for >it. Here is it. > ># WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" ># and if you do not add other rules during startup to allow access, ># YOU WILL LOCK YOURSELF OUT. It is suggested that you set >firewall_type=open ># in /etc/rc.conf when first enabling this feature, then refining the ># firewall rules in /etc/rc.firewall after you've tested that the new >kernel ># feature works properly. > >I must have had a typo when setting this up but it still worked. I was >just being cautious without any real good reason. I am guessing that >/etc/rc.firewall set up the rules just right for me so that it would work. >Since it worked for me right away I did not spend any more time with it. > >I am now trying to learn more about it now. > No!!! I have FreeBSD 3.4, I doubt that FreeBSD 4.0 is all that much different but I might be wrong so I am talking about 3.4 here. Firewall rules are a list. There must be at least one item in the list. That item is placed in the list my the kernel. It is placed at the bottom (end) of the list. The list is read from top to bottom and the first matching rule is used. The fules that the kernel can add are either Allow Everything ("allow ip from any to any") or Deny Everything ("deny ip from any to any"). The rule added by the kernel is called the DEFAULT RULE. When "firewall_types=open" is used in the kernel configuration file (MYKERNEL from now on) it means that the firewall will not drop any packets BY DEFAULT. That is the DEFAULT RULE is Allow Everything. This is very insecure, and should never be used, ever!!! (I belive) When "firewall_types=open" is used in the startup configuration file (/etc/rc.conf) it has a totally different meaning. It is the name of the firewall type that the firewall rules script (/etc/rc.firewall) should use. The options for this are defined in /etc/rc.firewall. I do not recomend you use it, unless you don't care about a firewall. I recomend that you edit /etc/rc.firewall and customize it to what you want - there is lots of information about this on the internet, and I will be realising a tutorial on it soon (at www.astrolox.com). Hope that clears that up. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Brian 'Astrolox' Wojtczak "If ya going to do it, do it in style" Wolrd Wide Web Page: http://www.astrolox.com/ EMail Address: astrolox@innocent.com Personal RSA PGP Key - be aware of fake keys: 89 30 61 EC 2B CA C8 FA EC 11 87 6D DA 50 7C 6B Bits: 2048 Id: 10E51DFD Date: 2000/02/16 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 1 14:29:26 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from tungsten.btinternet.com (tungsten.btinternet.com [194.73.73.81]) by hub.freebsd.org (Postfix) with ESMTP id 1F92237BC5A for ; Sat, 1 Apr 2000 14:29:23 -0800 (PST) (envelope-from astrolox@innocent.com) Received: from [213.1.118.12] (helo=faith) by ruthenium.btinternet.com with smtp (Exim 2.05 #1) id 12bPUO-0002E5-00 for freebsd-ipfw@FreeBSD.ORG; Sat, 1 Apr 2000 16:07:04 +0100 Message-Id: <3.0.3.32.20000401170314.0098c190@mail.virgin.net> X-Sender: brian.wojtczak@mail.virgin.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Sat, 01 Apr 2000 17:03:14 +0100 To: freebsd-ipfw@FreeBSD.ORG From: Brian 'Astrolox' Wojtczak Subject: Re: Selective access In-Reply-To: <20000329075634.A52161@lunatic.oneinsane.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ron Rosson wrote: > >Hello, > I have setup a FreeBSD Server to perform NAT using IPFilter and IPNAT. >Basically it is something like this: > >vr0 -------> Real Internet IP >vr1 -------> 192.168.0/24 > >The network portion of vr1 is where I am having issues. I would like to >set it up so that the lower 128 have full access thru the NAT and the >upper portion of the address space only be able to use email. > >vr1 = 192.168.0.0 netmask 255.255.255.128 Full Access to the net > 192.168.0.128 netmask 255.255.255.128 Email access only > >The NAT server also doubles as the Email server. > >IF anyone has done this or has an idea how it can be done without adding >another NIC. I would like to hear from ya. ;-) > This is easy. Set up NATD allowing all of 192.168.0 to use it. then edit /etc/rc.firewall and edit the divert rule which by default looks something like $fwcmd add divert natd all from any to any change it so that it looks something like $fwcmd add divert natd all from 192.168.0.0/4 to any or if that don't work add a rule which denies access from 192.168.0.128/4 to anything but smtp (and pop) I'm a little rusty on this at the moment, been in Tenerife for a week without a computer. If I made a mistake sorry ... please go and read some tutorial. I learnt everything I know from the FreeBSD Handbook and the ipfw man page. [1] http://www.freebsd.org/handbook/ [2] http://www.FreeBSD.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=Fr eeBSD+3.4-RELEASE&format=html Hope that helps, a little. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Brian 'Astrolox' Wojtczak "If ya going to do it, do it in style" Wolrd Wide Web Page: http://www.astrolox.com/ EMail Address: astrolox@innocent.com Personal RSA PGP Key - be aware of fake keys: 89 30 61 EC 2B CA C8 FA EC 11 87 6D DA 50 7C 6B Bits: 2048 Id: 10E51DFD Date: 2000/02/16 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message