Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 Oct 2008 03:12:31 +0100
From:      Polytropon <freebsd@edvax.de>
To:        jackbarnett@gmail.com
Cc:        Freebsd questions <freebsd-questions@freebsd.org>
Subject:   Re: Firewalls in FreeBSD?
Message-ID:  <20081030031231.8a5fccb9.freebsd@edvax.de>
In-Reply-To: <49090BA3.5090407@gmail.com>
References:  <49090BA3.5090407@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

If I understood you correctly, your setting is:

	(Modem/Router)---DHCP---(FreeBSD)---("Windows")

I may respond directly on your configuration settings:

On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett <jackbarnett@gmail.com> wrote:
>      gateway_enable="YES"
>      #firewall_enable="YES"
>      #firewall_type="open"
>      firewall_type="simple"
>      #firewall_type="open"
>      firewall_logging="YES"

Use instead:

	gateway_enable="YES"
	natd_enable="YES"
	natd_interface="xl0"

You may add special redirect directives to NATD's settings, such
as
	natd_flags="-redirect_port tcp 192.168.1.2:5900 5900"
	natd_flags="-redirect_port tcp 192.168.1.5:23 6666"

or
	natd_flags="-redirect_address 192.168.1.2 141.44.165.58 \
		-redirect_address 192.168.1.5 141.44.165.58"

Examples taken from a very old configuration. :-)

Then,

	firewall_enable="YES"
	firewall_type="/etc/ipfw.conf"

Then, be sure to have nice firewall settings, you can use things
similar to this, enabling just the services you really need and want,
it's easy to write your own one or to rewrite this:

	-f flush
	add divert natd ip      from any to any         via     xl0
	add allow       tcp     from any to any ftp     in recv xl0
	add allow       tcp     from any to any ssh     in recv xl0
	add allow       tcp     from any to any auth    in recv xl0
	add allow       udp     from any to any ntp     in recv xl0
	add allow       udp     from any to any ntalk   in recv xl0
	add deny        udp     from any to any x11     in recv xl0
	add reset       tcp     from any to any x11     in recv xl0
	add allow       ipencap from any to any
	add allow       ip      from any to any

This should work fine. NB to use the correct interface names.



-- 
Polytropon
>From Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081030031231.8a5fccb9.freebsd>