From owner-freebsd-questions Tue Feb 6 17:56:14 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail8.nc.rr.com (fe8.southeast.rr.com [24.93.67.55]) by hub.freebsd.org (Postfix) with ESMTP id E810737B4EC for ; Tue, 6 Feb 2001 17:55:53 -0800 (PST) Received: from reefbreak.surfbbx ([24.163.33.203]) by mail8.nc.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Tue, 6 Feb 2001 20:53:41 -0500 From: Eric Thornton Date: Tue, 6 Feb 2001 20:52:55 -0500 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" To: Benjamin Ossei , questions@FreeBSD.ORG References: <20010206232345.D7B6F36F9@sitemail.everyone.net> In-Reply-To: <20010206232345.D7B6F36F9@sitemail.everyone.net> Subject: Re: HELLLLLLLLLLLP(firewall) MIME-Version: 1.0 Message-Id: <01020620525500.00910@reefbreak.surfbbx> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I know little about firewall rules, but this is my setup it was done by a friend of mine who knows a lot more about tcp/ip than i do. this works with roadrunner--dynamic ip address ---KERNEL----- options IPFIREWALL options IPFIREWALL_VERBOSE options IPDIVERT ---rc.conf----- gateway_enable="YES" firewall_enable="YES" #i don't know what the next 3 do... tcp_keepalive="YES" tcp_extensions="YES" icmp_drop_redirect="YES" natd_program="/sbin/natd" natd_enable="YES" natd_interface="ed1" natd_flags="-f /etc/natd.conf" #this excludes the norm hostname, ifconfig, norm network setup ---rc.firewall---- HIPORT=1024-65535 LOPORT=1-1023 FTPPORT=49152-65535 ipfw="/sbin/ipfw -q" $ipfw -f flush sysctl -w net.inet.ip.fw.one_pass=0 # deny rfc1918 from outside interface $ipfw add 10 deny log all from 10.0.0.0/8 to any in via ed1 $ipfw add 20 deny log logamount 10 all from 192.168.0.0/16 to any in via ed1 $ipfw add 30 deny log all from 172.16.0.0/12 to any in via ed1 # allow things out before nat rule $ipfw add 50 pass all from any to any via lo0 # anything here is stuff you want to work even if natd is down $ipfw add 80 pass tcp from any $LOPORT to any ssh in recv ed1 setup keep-state $ipfw add 81 pass tcp from any $HIPORT to any telnet in recv ed1 setup/ keep-state $ipfw add 84 pass tcp from any to any auth in recv ed1 setup keep-state # nat rule--THIS IS IMPORTANT!!! $ipfw add 100 divert natd all from any to any via ed1 # everything allowed $ipfw add 200 pass all from any to any ---natd.conf---- dynamic yes use_sockets yes same_ports yes unregistered_only yes -hope this helps. Eric On Tuesday 06 February 2001 06:23 pm, Benjamin Ossei wrote: > I've asked this questions several time and no one has helped yet. If no > one wants to help I can understand it. But I'm trying one last chance. > I've read several books including all of the man pages etc. Sill my NAT > isn't working. I've used every configurations that I can find and tried > several things. I still can not get to my machines behind the firewall. I > don't know what else to do other than going back to something else. Anyway > if anyone wants to give me a hand I can use it. natd diverts loads up but > I can't get pass the FW. > > Thanks.. > > _____________________________________________________________ > ========GET YOUR FREE E-MAIL============ > http://freemail.cahostnet.net > Web Hosting http://www.cahostnet.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message