From owner-freebsd-security Thu Jan 21 09:09:07 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA27614 for freebsd-security-outgoing; Thu, 21 Jan 1999 09:09:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from java.dpcsys.com (java.dpcsys.com [206.16.184.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA27607 for ; Thu, 21 Jan 1999 09:09:06 -0800 (PST) (envelope-from dan@dpcsys.com) Received: from localhost (dan@localhost) by java.dpcsys.com (8.9.1a/8.9.1) with SMTP id JAA18372; Thu, 21 Jan 1999 09:09:10 -0800 (PST) Date: Thu, 21 Jan 1999 09:09:10 -0800 (PST) From: Dan Busarow To: Mark Thomas cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw/natd configuration In-Reply-To: <3.0.6.32.19990121100844.007c8ba0@pmpro.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 21 Jan 1999, Mark Thomas wrote: > I'm in the process of setting up a firewall using ipfw and natd. My > intention is to use a FreeBSD (soon to be 3.0-stable) machine with three > interfaces. IP addresses altered. > > fxp0 - Interface to private network (192.168.1.1/16). > fxp1 - Interface to the world (555.12.12.230/29). > fxp2 - Interface to visible machines (555.12.12.233/29). > > The public machine is: 555.12.12.234/29 > > I'm a bit confused about setting up natd/ipfw. Here's where I am right now: > > Custom kernel with IPFIREWALL and IPDIVERT enabled. > > In rc.conf: > > gateway_enable="YES" > firewall_enable="YES" > firewall_type="/etc/firewall.rules" # My own rule set will be applied I suspect fixing the above line will clear up a lot of your confusion. This is not the name of a rule file, it is a label withing /etc/rc.firewall i.e., "SIMPLE" > firewall_quiet="NO" > natd_enable="YES" > natd_interface="fxp1" > natd_flags="-f /etc/natd.rules" Try natd_flags="-s -m -u" > network_interfaces="fxp0 fxp1 fxp2 lo0" # Does order matter? > gateway_enable="YES" > > In /etc/services: > > natd 8668/divert > > The above combination should also add the ipfw rule to divert packets to > natd correctly via rc.firewall, right? No. You need to specify a divert rule. See the example /etc/rc.firewall > First problem is setting up the actual natd rules. To allow the public > machine to be seen, it would appear I need this to pass its address > unchanged: > > redirect_address 555.12.12.234 555.12.12.234 > > Since all other internal addresses are unregistered, it would then appear > that this would do the trick: > > unregistered_only yes You don't need redirect_address, unregistered_only (-u in my flags) does what it says. Only RFC1918 addresses will be NAT'd. > Now for ipfw. My fundamental confusion is ipfw's idea of exactly where 'it' > is, and of in vs. out. How does the natd interface specification affect > this, or does it? Read the comments in /etc/rc.firewall Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message