From owner-freebsd-questions@FreeBSD.ORG Thu Oct 30 02:12:35 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8346F1065678 for ; Thu, 30 Oct 2008 02:12:35 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) by mx1.freebsd.org (Postfix) with ESMTP id 169858FC1A for ; Thu, 30 Oct 2008 02:12:35 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r55.edvax.de (port-92-195-52-25.dynamic.qsc.de [92.195.52.25]) by mx01.qsc.de (Postfix) with ESMTP id 1437B50EDB; Thu, 30 Oct 2008 03:12:32 +0100 (CET) Received: from r55.edvax.de (localhost [127.0.0.1]) by r55.edvax.de (8.14.2/8.14.2) with SMTP id m9U2CVDV004171; Thu, 30 Oct 2008 03:12:31 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Thu, 30 Oct 2008 03:12:31 +0100 From: Polytropon To: jackbarnett@gmail.com Message-Id: <20081030031231.8a5fccb9.freebsd@edvax.de> In-Reply-To: <49090BA3.5090407@gmail.com> References: <49090BA3.5090407@gmail.com> Organization: EDVAX X-Mailer: Sylpheed 2.4.7 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Freebsd questions Subject: Re: Firewalls in FreeBSD? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2008 02:12:35 -0000 If I understood you correctly, your setting is: (Modem/Router)---DHCP---(FreeBSD)---("Windows") I may respond directly on your configuration settings: On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett wrote: > gateway_enable="YES" > #firewall_enable="YES" > #firewall_type="open" > firewall_type="simple" > #firewall_type="open" > firewall_logging="YES" Use instead: gateway_enable="YES" natd_enable="YES" natd_interface="xl0" You may add special redirect directives to NATD's settings, such as natd_flags="-redirect_port tcp 192.168.1.2:5900 5900" natd_flags="-redirect_port tcp 192.168.1.5:23 6666" or natd_flags="-redirect_address 192.168.1.2 141.44.165.58 \ -redirect_address 192.168.1.5 141.44.165.58" Examples taken from a very old configuration. :-) Then, firewall_enable="YES" firewall_type="/etc/ipfw.conf" Then, be sure to have nice firewall settings, you can use things similar to this, enabling just the services you really need and want, it's easy to write your own one or to rewrite this: -f flush add divert natd ip from any to any via xl0 add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 add allow tcp from any to any auth in recv xl0 add allow udp from any to any ntp in recv xl0 add allow udp from any to any ntalk in recv xl0 add deny udp from any to any x11 in recv xl0 add reset tcp from any to any x11 in recv xl0 add allow ipencap from any to any add allow ip from any to any This should work fine. NB to use the correct interface names. -- Polytropon >From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...