From owner-freebsd-questions@FreeBSD.ORG Sun Jul 11 13:30:58 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2294516A4CE for ; Sun, 11 Jul 2004 13:30:58 +0000 (GMT) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CA1B43D46 for ; Sun, 11 Jul 2004 13:30:57 +0000 (GMT) (envelope-from cpghost@cordula.ws) Received: from [192.168.254.3] (bsdbox [192.168.254.3]) by fw.farid-hajji.net (Postfix) with ESMTP id 4790F4AD85; Sun, 11 Jul 2004 15:30:31 +0200 (CEST) Message-ID: <40F141F2.1060500@cordula.ws> Date: Sun, 11 Jul 2004 15:34:42 +0200 From: cpghost User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040710) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gaspar Kiraly References: <000a01c46745$cbd736e0$0201a8c0@my.domain> In-Reply-To: <000a01c46745$cbd736e0$0201a8c0@my.domain> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Firewall rules for local lan X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jul 2004 13:30:58 -0000 Gaspar Kiraly wrote: >I am in the process of setting up ipfw for my server and a small LAN of two pcs. >The FreeBSD server is used as an internet gateway with a dial up connection (ppp -auto -alias demand). >My network connection is working fine, however I am getting more and more junk mail lately. >It looks like some sites are sniffing out my e-mail address, my pc configs, etc. >Hence, I'd like to setup a firewall. >I found many good examples, however they deal with a one pc (FreeBSD) one network card setup. >For ex: do I need to add "divert" and "bridge" to the Kernel config file? How do I set up different rules for for each nic? >I'd like to be able to access the FreeBSD server from my local LAN w/o any restrictions but I do not want the internet sites to do the same with my server and LAN. Would you have an example setup for this scenario? The FreeBSD server is also setup to provide address resolution for the internet. > > You don't need divert or bridge, because ppp(1) has built-in packed filtering. Have a look at ppp(1) man page, esp. the section "packet filtering." Don't forget to enable ppp NAT and to set up your box as a gateway in /etc/rc.conf: hostname="your.hostname.tld" gateway_enable="YES" ppp_enable="YES" ppp_profile="your-isp-profile" ppp_user="root" ppp_mode="ddial" ppp_nat="YES" named_enable="YES" named_flags="-u bind -g bind" Don't forget to add your filter rules in /etc/ppp/ppp.conf. >I'd appreciate any help. > >Gaspar > > -cpghost.