Date: Wed, 12 Jun 2002 18:43:46 -0400 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "Pablo Bendersky" <pbendersky@mark-2k.com> Cc: "FBSDQ" <questions@FreeBSD.ORG> Subject: RE: 3 NICs question Message-ID: <MIEPLLIBMLEEABPDBIEGAEJBCCAA.barbish@a1poweruser.com> In-Reply-To: <000f01c21252$8e2df530$3700a8c0@mark>
next in thread | previous in thread | raw e-mail | index | archive | help
Pablo
The only way to direct packet traffic that originates on the public internet
to an
individual ip address is by using a domain name. Chose and register an
domain
name and have the domain name use the static ip address of your x12 cable
isp connection. Now any body browsing your www.your-domain-name.com will
go the ip address of your cable modem connected to your x12 Nic card.
Now in the natd conf file put a forward ip / port 80 statement to your
stand-a-lone
web server ip on the LAN.
And for your information, your firewall basically provides no protection at
all.
It allows anything in or out. Your gateway PC is all already compromised and
you don't know it.
You really need to add advanced stateful rules using check-state &
keep-state type of
rules to just allow out the packet types you want and deny all packets
originating from the
public internet except for port 80 http request to your internet web server.
To be absolutely safe you should rebuild your gateway box from scratch and
not allow access
to the public internet until you have good firewall rules.
-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Pablo Bendersky
Sent: Wednesday, June 12, 2002 4:49 PM
To: freebsd-questions@freebsd.org
Subject: 3 NICs question
Hello,
I currently have a FreeBSD 4.5 box with 3 NICs with the current setup:
xl0 : Internal 192.168.0 lan
xl1 : External, connected to an ADSL modem to share an internet account
xl2 : New NIC, connected to a cablemodem.
Currently I'm connecting using PPPoE, and then I nat tun0 to share the
internet account.
I have a firewall setted up, (See the configuration after it).
So, xl1 connects to the ADSL modem, and we can share tun0 in our lan
(via xl0).
Now, we added the third NIC, xl2, and connected it with a cablemodem
(it's getting its ip address via DHCP). What I want now is to NAT in the
following way:
- All the outcoming connections (for our lan to browse the net) go
through xl1 (ADSL)
- All the incoming connections to the xl2 IP address be natted to an
internal web server.
How can I do it?
I tried adding a second nat service (with another port) and running a
second instance of natd but it didn't work. Can anybody help me?
Thanks a lot
Our firewall rules currently are:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00500 deny log ip from any to 10.0.0.0/8 via tun0
00600 deny log ip from any to 172.16.0.0/12 via tun0
00700 deny ip from any to 192.168.0.0/16 via tun0
00800 deny ip from any to 0.0.0.0/8 via tun0
00900 deny ip from any to 169.254.0.0/16 via tun0
01000 deny ip from any to 192.0.2.0/24 via tun0
01100 deny ip from any to 224.0.0.0/4 via tun0
01200 deny ip from any to 240.0.0.0/4 via tun0
01300 divert 8668 ip from any to any
01400 deny log ip from 10.0.0.0/8 to any via tun0
01500 deny log ip from 172.16.0.0/12 to any via tun0
01600 deny ip from 192.168.0.0/16 to any via tun0
01700 deny ip from 0.0.0.0/8 to any via tun0
01800 deny ip from 169.254.0.0/16 to any via tun0
01900 deny ip from 192.0.2.0/24 to any via tun0
02000 deny ip from 224.0.0.0/4 to any via tun0
02100 deny ip from 240.0.0.0/4 to any via tun0
02200 allow ip from any to any frag
02300 allow ip from any to any
65535 deny ip from any to any
Pablo Bendersky
pbendersky@mark-2k.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGAEJBCCAA.barbish>