Date: Wed, 07 Feb 2001 11:02:02 -0600 From: Hamilton Hoover <hamilton@twopoint.com> To: Eric Thornton <ewthorn2@eos.ncsu.edu> Cc: questions@FreeBSD.ORG Subject: Re: HELLLLLLLLLLLP(firewall) Message-ID: <3A817F8A.C2CAD7ED@twopoint.com> References: <20010206232345.D7B6F36F9@sitemail.everyone.net> <01020620525500.00910@reefbreak.surfbbx>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric Thornton wrote: > > I know little about firewall rules, but this is my setup > it was done by a friend of mine who knows a lot more about tcp/ip than i do. > this works with roadrunner--dynamic ip address > > ---KERNEL----- > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPDIVERT > > ---rc.conf----- > gateway_enable="YES" > firewall_enable="YES" > #i don't know what the next 3 do... > tcp_keepalive="YES" > tcp_extensions="YES" > icmp_drop_redirect="YES" > look to me like you are missing these lines in rc.conf. firewall_script="/etc/rc.firewall" firewall_type="whatscriptyoupicked" > natd_program="/sbin/natd" > natd_enable="YES" > natd_interface="ed1" > natd_flags="-f /etc/natd.conf" > #this excludes the norm hostname, ifconfig, norm network setup > > ---rc.firewall---- > HIPORT=1024-65535 > LOPORT=1-1023 > FTPPORT=49152-65535 > > ipfw="/sbin/ipfw -q" > $ipfw -f flush > sysctl -w net.inet.ip.fw.one_pass=0 > > # deny rfc1918 from outside interface > $ipfw add 10 deny log all from 10.0.0.0/8 to any in via ed1 > $ipfw add 20 deny log logamount 10 all from 192.168.0.0/16 to any in via ed1 > $ipfw add 30 deny log all from 172.16.0.0/12 to any in via ed1 > > # allow things out before nat rule > $ipfw add 50 pass all from any to any via lo0 > > # anything here is stuff you want to work even if natd is down > $ipfw add 80 pass tcp from any $LOPORT to any ssh in recv ed1 setup keep-state > $ipfw add 81 pass tcp from any $HIPORT to any telnet in recv ed1 setup/ > keep-state > $ipfw add 84 pass tcp from any to any auth in recv ed1 setup keep-state > > # nat rule--THIS IS IMPORTANT!!! > $ipfw add 100 divert natd all from any to any via ed1 > > # everything allowed > $ipfw add 200 pass all from any to any > > ---natd.conf---- > dynamic yes > use_sockets yes > same_ports yes > unregistered_only yes > > -hope this helps. > > Eric > > On Tuesday 06 February 2001 06:23 pm, Benjamin Ossei wrote: > > I've asked this questions several time and no one has helped yet. If no > > one wants to help I can understand it. But I'm trying one last chance. > > I've read several books including all of the man pages etc. Sill my NAT > > isn't working. I've used every configurations that I can find and tried > > several things. I still can not get to my machines behind the firewall. I > > don't know what else to do other than going back to something else. Anyway > > if anyone wants to give me a hand I can use it. natd diverts loads up but > > I can't get pass the FW. > > > > Thanks.. > > > > _____________________________________________________________ > > ========GET YOUR FREE E-MAIL============ > > http://freemail.cahostnet.net > > Web Hosting http://www.cahostnet.com > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A817F8A.C2CAD7ED>