Date: Wed, 27 Mar 2002 14:45:30 -0000 From: Mike Dewhirst <Dewhirst.M@UCLES.org.uk> To: 'Martyn Hill' <sysadmin@st-james-snrgirls.w-london.sch.uk>, FreeBSD-questions <freebsd-questions@freebsd.org> Subject: RE: Cable-modem, dynamic IP, NAT and IPFW Message-ID: <0B0368CED76DD4118E1200D0B73E9B5D041E9F8C@MAIL1>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1D59E.0A893DC0 Content-Type: text/plain; charset="iso-8859-1" > I have set up a test-bench installation at home of FreeBSD > 4.5, cable-modem (with Blueyonder) with dynamic IP, UserPPP (PPPoE) > running NAT, IPFW, BIND, DHCP, Exim, Samba and the Squid > proxy software. The purpose behind the install is to avoid long hours > spent at school trying out new configurations on an otherwise > working live system (static IP, but otherwise similar.) I have a very simmilar working set-up with NTL. > > Having read (and tried to digest) the various HowTos and > mailing list postings re. configuring for dynamic IP, I'm getting no > joy connecting through the cable modem. The NIC MAC address > has been registered with BY. more detail please. Do you get an ip address assigned from your Cable modem via DHCP? > In particular, configuring IPFW for dynamic IP (I have a > working ruleset for fixed IP); which of NATD or UserPPP NAT is > preferable (or easier) to configure/use and how best to > configure the external NIC using the ISC DHCLIENT software. here's a partial ruleset I use that works well for me: 00005 divert 8668 ip from any to any via xl1 00010 allow ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00250 allow udp from 194.168.8.100 53 to any in recv xl1 00260 allow udp from any to 194.168.8.100 53 out xmit xl1 00300 deny ip from 127.0.0.0/8 to any 00400 allow tcp from any to any out xmit xl1 setup 00401 allow tcp from any to any via xl1 established 00450 allow tcp from any to any 22 setup 00500 allow icmp from any to me via xl1 icmptype 0,3,11 00501 deny icmp from any to me via xl1 icmptype 0,8 00502 allow icmp from any to any via xl0 50000 unreach host ip from any to any 65535 deny ip from any to any xl1 is external NIC (to cable modem), xl0 - local NIC. > > Rather than forward all my current configuration files, > please could you advise which are relevant and I'll provide those. rc.conf for now... There is a book I found very useful - FreeBSD Unleashed, ISBN: 0-672-32206-4 These links are quite good for firewall config: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/index.ht ml http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html Hope this helps, Mike This message was written in plain text mode. Everything below the dotted line was not written by the author of this email. ---------------------- =********************************************************** If you are not the intended recipient, employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination or copying of this communication and its attachments is strictly prohibited. If you have received this communication and its attachments in error, please return the original message and attachments to the sender using the reply facility on e-mail. Internet communications are not secure and therefore the UCLES Group does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of the UCLES Group unless otherwise specifically stated. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses although this does not guarantee that this email is virus free. **********************************************************= ------_=_NextPart_001_01C1D59E.0A893DC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-= 1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2653.12"> <TITLE>RE: Cable-modem, dynamic IP, NAT and IPFW</TITLE> </HEAD> <BODY> <BR> <P><FONT SIZE=3D2>> I have set up a test-bench installation at home of F= reeBSD </FONT> <BR><FONT SIZE=3D2>> 4.5, cable-modem (with Blueyonder) with dynamic IP,= UserPPP (PPPoE)</FONT> <BR><FONT SIZE=3D2>> running NAT, IPFW, BIND, DHCP, Exim, Samba and the = Squid </FONT> <BR><FONT SIZE=3D2>> proxy software. The purpose behind the install is t= o avoid long hours</FONT> <BR><FONT SIZE=3D2>> spent at school trying out new configurations on an= otherwise </FONT> <BR><FONT SIZE=3D2>> working live system (static IP, but otherwise simil= ar.)</FONT> </P> <P><FONT SIZE=3D2>I have a very simmilar working set-up with NTL.</FONT> </P> <P><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Having read (and tried to digest) the various HowTo= s and </FONT> <BR><FONT SIZE=3D2>> mailing list postings re. configuring for dynamic I= P, I'm getting no</FONT> <BR><FONT SIZE=3D2>> joy connecting through the cable modem. The NIC MAC= address </FONT> <BR><FONT SIZE=3D2>> has been registered with BY.</FONT> </P> <P><FONT SIZE=3D2>more detail please. Do you get an ip address assigned fro= m your Cable modem via DHCP?</FONT> </P> <P><FONT SIZE=3D2>> In particular, configuring IPFW for dynamic IP (I ha= ve a </FONT> <BR><FONT SIZE=3D2>> working ruleset for fixed IP); which of NATD or Use= rPPP NAT is</FONT> <BR><FONT SIZE=3D2>> preferable (or easier) to configure/use and how bes= t to </FONT> <BR><FONT SIZE=3D2>> configure the external NIC using the ISC DHCLIENT s= oftware.</FONT> </P> <P><FONT SIZE=3D2>here's a partial ruleset I use that works well for me:</F= ONT> </P> <P><FONT SIZE=3D2>00005 divert 8668 ip from any to any via xl1</FONT> <BR><FONT SIZE=3D2>00010 allow ip from any to any via xl0</FONT> <BR><FONT SIZE=3D2>00100 allow ip from any to any via lo0</FONT> <BR><FONT SIZE=3D2>00200 deny ip from any to 127.0.0.0/8</FONT> <BR><FONT SIZE=3D2>00250 allow udp from 194.168.8.100 53 to any in recv xl1= </FONT> <BR><FONT SIZE=3D2>00260 allow udp from any to 194.168.8.100 53 out xmit xl= 1</FONT> <BR><FONT SIZE=3D2>00300 deny ip from 127.0.0.0/8 to any</FONT> <BR><FONT SIZE=3D2>00400 allow tcp from any to any out xmit xl1 setup</FONT> <BR><FONT SIZE=3D2>00401 allow tcp from any to any via xl1 established</FON= T> <BR><FONT SIZE=3D2>00450 allow tcp from any to any 22 setup</FONT> <BR><FONT SIZE=3D2>00500 allow icmp from any to me via xl1 icmptype 0,3,11<= /FONT> <BR><FONT SIZE=3D2>00501 deny icmp from any to me via xl1 icmptype 0,8</FON= T> <BR><FONT SIZE=3D2>00502 allow icmp from any to any via xl0</FONT> <BR><FONT SIZE=3D2>50000 unreach host ip from any to any</FONT> <BR><FONT SIZE=3D2>65535 deny ip from any to any</FONT> </P> <P><FONT SIZE=3D2>xl1 is external NIC (to cable modem), xl0 - local NIC.</F= ONT> </P> <P><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Rather than forward all my current configuration fi= les, </FONT> <BR><FONT SIZE=3D2>> please could you advise which are relevant and I'll= provide those.</FONT> </P> <P><FONT SIZE=3D2>rc.conf for now...</FONT> </P> <P><FONT SIZE=3D2>There is a book I found very useful - FreeBSD Unleashed, = ISBN: 0-672-32206-4 </FONT> </P> <P><FONT SIZE=3D2>These links are quite good for firewall config:</FONT> </P> <P><FONT SIZE=3D2><A HREF=3D"http://www.freebsd.org/doc/en_US.ISO8859-1/art= icles/dialup-firewall/index.html" TARGET=3D"_blank">http://www.freebsd.org/= doc/en_US.ISO8859-1/articles/dialup-firewall/index.html</A></FONT> <BR><FONT SIZE=3D2><A HREF=3D"http://www.freebsd.org/doc/en_US.ISO8859-1/bo= oks/handbook/firewalls.html" TARGET=3D"_blank">http://www.freebsd.org/doc/e= n_US.ISO8859-1/books/handbook/firewalls.html</A></FONT> </P> <P><FONT SIZE=3D2>Hope this helps,</FONT> </P> <P><FONT SIZE=3D2>Mike</FONT> </P> <BR> <P><FONT SIZE=3D2>This message was written in plain text mode. </FONT> <BR><FONT SIZE=3D2>Everything below the dotted line was not </FONT> <BR><FONT SIZE=3D2>written by the author of this email. </FONT> <BR><FONT SIZE=3D2>---------------------- </FONT> </P> <CODE><FONT SIZE=3D3><BR> <BR> =3D**********************************************************<BR> <BR> If you are not the intended recipient, employee or agent responsible for de= livering the message to the intended recipient, you are hereby notified tha= t any dissemination or copying of this communication and its attachments is= strictly prohibited.<BR> <BR> If you have received this communication and its attachments in error, pleas= e return the original message and attachments to the sender using the reply= facility on e-mail.<BR> <BR> Internet communications are not secure and therefore the UCLES Group does n= ot accept legal responsibility for the contents of this message. Any views= or opinions presented are solely those of the author and do not necessaril= y represent those of the UCLES Group unless otherwise specifically stated.<= BR> <BR> This footnote also confirms that this email message has been swept by<BR> MIMEsweeper for the presence of computer viruses although this does not gua= rantee that this email is virus free.<BR> <BR> **********************************************************=3D<BR> </FONT></CODE> </BODY> </HTML> ------_=_NextPart_001_01C1D59E.0A893DC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0B0368CED76DD4118E1200D0B73E9B5D041E9F8C>