Date: Sun, 25 Feb 2001 00:38:29 -0500 From: "John Telford" <j.telford@sympatico.ca> To: <Isomer1@aol.com>, <freebsd-newbies@freebsd.org> Subject: Re: cable modem gateway Message-ID: <001901c09eed$2f22a010$ac33e540@johnny2k> References: <b5.78f869a.27c9d3d9@aol.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You are already warm if you are at freebsddiary.org This http://www.freebsddiary.org/athome.html got my connection talking to the outside world in a flash. You should probably get the freebsd box communicating with the public side before moving onto the gateway/firewall part. You DO have to add the lines and rebuild the kernel to get the firewall to work. There's lots of good stuff on it out there, I found it was a matter of reading different documents until I found one that hit at my skill level and took it from there. Don't go nuts or give up, FreeBSD works great, there is a price to pay in research though over the 'pointy click, skip readme and hope it loads windows stuff'. I have 5 cable connected divisions fronted with FreeBSD boxes. They only go down when there is a problem with the cable company. These are my settings, you may not require all of them: The kernel. At the end of my GENERIC (well I cp it to GENFIRE) I copy the following out of LINT: # IPFIREWALL enables support for IP firewall construction, in # conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # limits the number of times a matching entry can be logged. # # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open # in /etc/rc.conf when first enabling this feature, then refining the # firewall rules in /etc/rc.firewall after you've tested that the new kernel # feature works properly. # # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to # allow everything. Use with care, if a cracker can crash your # firewall machine, they can get to your protected machines. However, # if you are using it as an as-needed filter for specific problems as # they arise, then this may be for you. Changing the default to 'allow' # means that you won't get stuck if the kernel and /sbin/ipfw binary get # out of sync. # # IPDIVERT enables the divert IP sockets, used by ``ipfw divert'' # # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the ttl). This can be useful to hide firewalls # from traceroute and similar tools. # # TCPDEBUG is undocumented. # options MROUTING # Multicast routing options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about # dropped packets options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT # USE TO GET IT GOING THEN # TAKE IT OUT, or DON'T USE AND #SET TYPE TO 'OPEN' IN /etc/rc.conf SEE BELOW. options IPDIVERT #divert sockets options IPSTEALTH #support for stealth forwarding options TCPDEBUG # The following options add sysctl variables for controlling how certain # TCP packets are handled. # # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This # prevents nmap et al. from identifying the TCP/IP stack, but breaks support # for RFC1644 extensions and is not recommended for web servers. # # TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets. # This is useful on systems which are exposed to SYN floods (e.g. IRC servers) # or any system which one does not want to be easily portscannable. # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST # ICMP_BANDLIM enables icmp error response bandwidth limiting. You # typically want this option as it will help protect the machine from # D.O.S. packet attacks. # options ICMP_BANDLIM # DUMMYNET enables the "dummynet" bandwidth limiter. You need # IPFIREWALL as well. See the dummynet(4) manpage for more info. # BRIDGE enables bridging between ethernet cards -- see bridge(4). # You can use IPFIREWALL and dummynet together with bridging. options DUMMYNET ########## END -An rc.conf to get going then tweak it from there: hostname="crxxxxxxx-x" # Set this cable account name firewall_enable="YES" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="OPEN" # Firewall type (see /etc/rc.firewall) # once it's working then start creating your own rule set. firewall_quiet="NO" # Set to YES to suppress rule display firewall_flags="" # Flags passed to ipfw when type is a file natd_enable="YES" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface or IPaddress to use. natd_flags="" # Additional flags for natd. network_interfaces="auto" # List of network interfaces (or "auto"). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. ifconfig_fxp0="DHCP" ifconfig_fxp1="inet 192.168.1.200 netmask 255.255.255.0" # internal network # named_enable="YES" # you have to do some named work to use this # other option would be set to NO and to point your internal machines to use the cable's # dns address which should magically appear in /etc/resolv.conf once you get # connected. ### Network routing options: ### defaultrouter="24.xx.xx.xx" # Set to Cable's default gateway (or NO). sendmail_enable="NO" # Run the sendmail daemon (or NO). Good luck, John. ----- Original Message ----- From: Isomer1@aol.com To: freebsd-newbies@freebsd.org Sent: Saturday, February 24, 2001 10:19 PM Subject: cable modem gateway I think I may go mad. I installed 4.2 this morning via ftp, the install went fine. I'm attempting to set up this freebsd machine as a gateway between my cable modem and internal network. I have tried the FreeBSD 'Handbook' but the section on networking is useless. I have managed to piece together some idea of what needs to be done from freebsddiary.org and newsgroup tidbits. I have NOT rebuilt the kernel, I'm assuming since the install asks "Enable Gateway?" that the default 4.2 installation must include the IPFIREWALL and IPDIVERT options already enabled. The machines can reach one another, the cable modem lights up when the internal machines attempt to talk out, but the outside worlds response does not get back to the internal machines. in /etc/rc.conf I added: firewall_enable = yes in /etc/rc.firewall I added: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via de0 /sbin/ipfw add pass all from any to any also done: natd -interface de0 any assistance would be appreciated -Ralph N. Isomer1@aol.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001901c09eed$2f22a010$ac33e540>