From owner-freebsd-questions@FreeBSD.ORG Wed Sep 17 11:29:24 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 623CB16A4B3 for ; Wed, 17 Sep 2003 11:29:24 -0700 (PDT) Received: from lakemtao04.cox.net (lakemtao04.cox.net [68.1.17.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58F7E43F85 for ; Wed, 17 Sep 2003 11:29:23 -0700 (PDT) (envelope-from rjhjr@cox.net) Received: from kongemord.krig.net ([68.100.111.121]) by lakemtao04.cox.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20030917182923.OGDS29227.lakemtao04.cox.net@kongemord.krig.net> for ; Wed, 17 Sep 2003 14:29:23 -0400 Received: by kongemord.krig.net (sSMTP sendmail emulation); Wed, 17 Sep 2003 14:29:22 -0400 From: "Bob Hall" Date: Wed, 17 Sep 2003 14:29:22 -0400 To: freebsd-questions@freebsd.org Message-ID: <20030917182921.GA12360@kongemord.krig.net> Mail-Followup-To: freebsd-questions@freebsd.org References: <20030917172325.5e2f64a9.y2kbug@ms25.hinet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030917172325.5e2f64a9.y2kbug@ms25.hinet.net> User-Agent: Mutt/1.4.1i Subject: Re: firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 18:29:24 -0000 At this point, I'm a little confused. You said previously that this would be the only machine that accessed the Internet via PPP. Now you're setting it up as the gateway, which means that other machines will be accessing the Internet via PPP on your gateway. To reiterate from an earlier post, you have three options: 1) This is not a gateway. You need PPP and a firewall. 2) This is a gateway. You need PPP, a firewall, and NAT implemented via user PPP. 3) This is a gateway. You need PPP, a firewall, and NAT implemented via the firewall. Decide on an option, and tell us which you're going to implement. On Wed, Sep 17, 2003 at 05:23:25PM +0800, Robert Storey wrote: > In the continuing saga of my firewall configuration... > > One kind member of this list suggested I must compile this into my > kernel: > > options IPDIVERT You need that only for option 3. You also need options IPFIREWALL for any of the three options. > So I did that, and it made a difference though it didn't solve the > problem. Previously, whenever I started ppp, if I attempted to ping I > would get this error message: > > bob@sonic:~> ping slashdot.org > ping: cannot resolve slashdot.org: Host name lookup failure > > Now when I ping, I get no response - no error messages, but no other > feedback. I think this is an improvement, but something is still > preventing me from getting a response from ppp. > > To reiterate, this is everything I've done so far: > > FROM /etc/rc.conf: > > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="simple" > natd_enable="YES" > natd_interface="ppp0" > > FROM /etc/rc.firewall: > > # set these to your outside interface network and netmask and ip > oif="ppp0" > onet="168.95.0.0" > omask="255.255.255.255" > oip="168.95.0.0" oip = Outer IP address. 168.95.0.0 is not your oip. Once again, the oip is found in the ppp0 section of the output from "ifconfig -a". It changes every time you dial up. > # set these to your inside interface network and netmask and ip > iif="vr0" > inet="192.168.0.0" > imask="255.255.255.0" > iip="192.168.0.2" > > Kernel recompile: > options IPDIVERT See above. > CONTENT OF /etc/hosts: > # > ::1 localhost localhost.utopia.com > 127.0.0.1 localhost localhost.utopia.com > # > 192.168.0.3 ibm.utopia.com ibm > 192.168.0.2 sonic.utopia.com sonic > 192.168.0.1 pro.utopia.com pro I use local DNS, so I've never manually written anything in my hosts file, but I think you need to add an address for DNS lookup. It's possible that this is entered automatically when you dial up. As I said, I don't do DNS this way, so I'm not sure how your setup should work. > I also used sysinstall to designate this machine as a gateway. Was that > the right thing to do? Tell us whether or not you've decided to use this machine as a gateway. You can't proceed, and we can't help you, until you make that decision. If you decide to use this machine as a gateway, then you have to decide how you're going to implement NAT. Again, you can't proceed, and we can't help you, until you decide. You have to pick one of the three options listed at the top. Bob Hall