Date: Thu, 21 Jan 1999 09:09:10 -0800 (PST) From: Dan Busarow <dan@dpcsys.com> To: Mark Thomas <thomas@pmpro.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw/natd configuration Message-ID: <Pine.BSF.3.96.990121090053.11860B-100000@java.dpcsys.com> In-Reply-To: <3.0.6.32.19990121100844.007c8ba0@pmpro.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 21 Jan 1999, Mark Thomas wrote: > I'm in the process of setting up a firewall using ipfw and natd. My > intention is to use a FreeBSD (soon to be 3.0-stable) machine with three > interfaces. IP addresses altered. > > fxp0 - Interface to private network (192.168.1.1/16). > fxp1 - Interface to the world (555.12.12.230/29). > fxp2 - Interface to visible machines (555.12.12.233/29). > > The public machine is: 555.12.12.234/29 > > I'm a bit confused about setting up natd/ipfw. Here's where I am right now: > > Custom kernel with IPFIREWALL and IPDIVERT enabled. > > In rc.conf: > > gateway_enable="YES" > firewall_enable="YES" > firewall_type="/etc/firewall.rules" # My own rule set will be applied I suspect fixing the above line will clear up a lot of your confusion. This is not the name of a rule file, it is a label withing /etc/rc.firewall i.e., "SIMPLE" > firewall_quiet="NO" > natd_enable="YES" > natd_interface="fxp1" > natd_flags="-f /etc/natd.rules" Try natd_flags="-s -m -u" > network_interfaces="fxp0 fxp1 fxp2 lo0" # Does order matter? > gateway_enable="YES" > > In /etc/services: > > natd 8668/divert > > The above combination should also add the ipfw rule to divert packets to > natd correctly via rc.firewall, right? No. You need to specify a divert rule. See the example /etc/rc.firewall > First problem is setting up the actual natd rules. To allow the public > machine to be seen, it would appear I need this to pass its address > unchanged: > > redirect_address 555.12.12.234 555.12.12.234 > > Since all other internal addresses are unregistered, it would then appear > that this would do the trick: > > unregistered_only yes You don't need redirect_address, unregistered_only (-u in my flags) does what it says. Only RFC1918 addresses will be NAT'd. > Now for ipfw. My fundamental confusion is ipfw's idea of exactly where 'it' > is, and of in vs. out. How does the natd interface specification affect > this, or does it? Read the comments in /etc/rc.firewall Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990121090053.11860B-100000>