Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 07 Feb 2001 11:02:02 -0600
From:      Hamilton Hoover <hamilton@twopoint.com>
To:        Eric Thornton <ewthorn2@eos.ncsu.edu>
Cc:        questions@FreeBSD.ORG
Subject:   Re: HELLLLLLLLLLLP(firewall)
Message-ID:  <3A817F8A.C2CAD7ED@twopoint.com>
References:  <20010206232345.D7B6F36F9@sitemail.everyone.net> <01020620525500.00910@reefbreak.surfbbx>

next in thread | previous in thread | raw e-mail | index | archive | help
Eric Thornton wrote:
> 
> I know little about firewall rules, but this is my setup
> it was done by a friend of mine who knows a lot more about tcp/ip than i do.
> this works with roadrunner--dynamic ip address
> 
> ---KERNEL-----
> options                 IPFIREWALL
> options         IPFIREWALL_VERBOSE
> options         IPDIVERT
> 
> ---rc.conf-----
> gateway_enable="YES"
> firewall_enable="YES"
> #i don't know what the next 3 do...
> tcp_keepalive="YES"
> tcp_extensions="YES"
> icmp_drop_redirect="YES"
> 

look to me like you are missing these lines in rc.conf.

firewall_script="/etc/rc.firewall"
firewall_type="whatscriptyoupicked"

> natd_program="/sbin/natd"
> natd_enable="YES"
> natd_interface="ed1"
> natd_flags="-f /etc/natd.conf"
> #this excludes the norm hostname, ifconfig, norm network setup
> 
> ---rc.firewall----
> HIPORT=1024-65535
> LOPORT=1-1023
> FTPPORT=49152-65535
> 
> ipfw="/sbin/ipfw -q"
> $ipfw -f flush
> sysctl -w net.inet.ip.fw.one_pass=0
> 
> # deny rfc1918 from outside interface
> $ipfw add 10 deny log all from 10.0.0.0/8 to any in via ed1
> $ipfw add 20 deny log logamount 10 all from 192.168.0.0/16 to any in via ed1
> $ipfw add 30 deny log all from 172.16.0.0/12 to any in via ed1
> 
> # allow things out before nat rule
> $ipfw add 50 pass all from any to any via lo0
> 
> # anything here is stuff you want to work even if natd is down
> $ipfw add 80 pass tcp from any $LOPORT to any ssh in recv ed1 setup keep-state
> $ipfw add 81 pass tcp from any $HIPORT to any telnet in recv ed1 setup/
>     keep-state
> $ipfw add 84 pass tcp from any to any auth in recv ed1 setup keep-state
> 
> # nat rule--THIS IS IMPORTANT!!!
> $ipfw add 100 divert natd all from any to any via ed1
> 
> # everything allowed
> $ipfw add 200 pass all from any to any
> 
> ---natd.conf----
> dynamic yes
> use_sockets yes
> same_ports yes
> unregistered_only yes
> 
> -hope this helps.
> 
> Eric
> 
> On Tuesday 06 February 2001 06:23 pm, Benjamin Ossei wrote:
> > I've asked this questions several time and no one has helped  yet.  If no
> > one wants to help I can understand it.  But I'm trying one last chance.
> > I've read several books including all of the man pages etc.  Sill my NAT
> > isn't working.  I've used every configurations that I can find and tried
> > several things.  I still can not get to my machines behind the firewall.  I
> > don't know what else to do other than going back to something else.  Anyway
> > if anyone wants to give me a hand I can use it.  natd diverts loads up but
> > I can't get pass the FW.
> >
> > Thanks..
> >
> > _____________________________________________________________
> > ========GET YOUR FREE E-MAIL============
> > http://freemail.cahostnet.net
> > Web Hosting http://www.cahostnet.com
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A817F8A.C2CAD7ED>