Date: Fri, 01 May 1998 09:28:11 GMT From: jak@cetlink.net (John Kelly) To: Wilson MacGyver <macgyver@cylatech.com> Cc: questions@FreeBSD.ORG Subject: Re: a question on firewall/proxy Message-ID: <354a81b7.297797094@mail.cetlink.net> In-Reply-To: <199805010155.VAA20507@lymu.cylatech.com> References: <199805010155.VAA20507@lymu.cylatech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 30 Apr 1998 21:55:41 -0400 (EDT), Wilson MacGyver <macgyver@cylatech.com> wrote: >Let's say I have a FreeBSD box setup as the firewall. I alias the ip >address, so the NIC has a real IP address, and 192.168.1.1. Yes. >I then setup the rest of the LAN using 192.168.1.x address, with the >192.168.1.1 set as the gateway for all the win95 machines on the LAN. Yes. >edit /etc/service to insert NATD entry Yes. >I did have the rc.conf GATEWAY setting to YES. But the Network Address >Translating doesn't seem to be happening. GATEWAY? In my rc.conf, it's gateway_enable="YES" >the alias.log in /var/log is empty. Did I miss something simple, or am I >totally clueless here? I don't use an alias.log and mine works fine. >Is the routing/NAT not working becuase I'm choosing to use a non-routeable >address, ie 192.168.x.x? No, works here. I use the same 192.168.x.x addresses. >If that's the case, then is the only way to setup firewall is, I can't >use any of the reserve address? No, works here. >start the natd with "natd -log -interface ed1" <ed1 is the NIC>. You seem to have overlooked one item. In my firewall setup, the final lines are: > # NATD > $fwcmd add 150 divert natd all from any to any via $1 > /usr/sbin/natd -u -interface $1 I add a firewall divert rule, and THEN start natd. Although these are the last two lines in my script which set up the firewall rules, "150" on the divert rule puts it first, even though it's added last. THEN I fire up natd. >I recompile the kernel with IPFIREWALL, and IPDIVERT. Set rc.conf's >firewall setting to YES, policy to 'open' for testing. Mine is also "open," but for me it's irrelevant because I don't use rc.firewall to set up my firewall rules. When the machine boots, it's true that the "open" rules are put in place by rc.firewall, but then I later use a custom script which is called automatically by pppd when his link comes up. I had some troubles which I solved by clearing the firewall rules in my pppd startup script as follows: > fwcmd="/sbin/ipfw -q" > $fwcmd -f flush > $fwcmd add 65000 pass all from any to any This resets the firewall rules equivalent to "open" every time I restart pppd, then after the link comes up, pppd adds the firewall rules by running my custom script. Make sure your firewall rules are active, then add the "divert" rule, making sure it is numerically ahead of all the other firewall rules, then start up natd. Here I use ipfw/natd with pppd running an ISDN line to my upstream ISP, pppd also running downstream modem lines to customers who use some of my registered static IP addresses, and a local ethernet with unregistered 192.168.x.x addresses, all on one box. Works great. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?354a81b7.297797094>