From owner-freebsd-questions  Thu Jun  6  0:46: 5 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from clientmail.ehsrealtime.com (eris.ehsrealtime.com [213.52.146.130])
	by hub.freebsd.org (Postfix) with ESMTP id AAB0737B405
	for <questions@freebsd.org>; Thu,  6 Jun 2002 00:46:02 -0700 (PDT)
Received: from set.ehsrealtime.com ([213.52.146.197])
	by clientmail.ehsrealtime.com with esmtp (Exim 3.33 #2)
	id 17Frxz-000GpV-01; Thu, 06 Jun 2002 08:45:55 +0100
Received: from waynep by set.ehsrealtime.com with local (Exim 3.34 #1)
	id 17Fsxg-0000Aq-00; Thu, 06 Jun 2002 08:49:40 +0000
From: Wayne Pascoe <freebsd@penguinpowered.org.uk>
To: Jordi YC <jordi_yc@lycos.es>
Cc: questions@FreeBSD.ORG
Subject: Re: Wireless had-hoc gateway with IPsec/IPFilter/IPNat?
References: <200206060020.41934.jordi_yc@lycos.es>
Date: 06 Jun 2002 08:49:39 +0000
In-Reply-To: <200206060020.41934.jordi_yc@lycos.es>
Message-ID: <m24rgg6bbw.fsf@set.ehsrealtime.com>
Lines: 36
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Civil Service)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Jordi YC <jordi_yc@lycos.es> writes:

> I would like to know if I can have 1 (one) FreeBSD server doing
> ipfilter, ipnat, and ipsec for a small intranet. Basically, is a
> home LAN connected through a cable modem + a wireless network card
> that connects 2 users. I would like to use ipsec instead of PPTP, so
> I can avoid "dialing" in order to secure the connection and save me
> some routing issues.

Yes. I have been doing this for some time now. 

The important lines from /etc/start_if.wi0 (or the appropriate script
that is run when your wireless adaptor initialises) are:
wicontrol -i wi0 -c 1
wicontrol -i wi0 -e 1
wicontrol -i wi0 -n "yourwirelessnetname"

You should then supply a key with 
wicontrol -i wi0 -k "blah"

In your ipfilter scripts, block or pass on the device unless you have
a fixed IP address. e.g.

pass in quick on wi0 from 192.168.1.0/24 to any port = 22 flags S/SA \
keep state

The above line will allow all machines on your network to ssh to the
world.

HTH.

-- 
- Wayne Pascoe  -  http://www.penguinpowered.org.uk/wayne/
    Give me enough medals, and I'll win any war.
    - Napolean
    

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message