Date: Wed, 27 Mar 2002 14:45:30 -0000 From: Mike Dewhirst <Dewhirst.M@UCLES.org.uk> To: 'Martyn Hill' <sysadmin@st-james-snrgirls.w-london.sch.uk>, FreeBSD-questions <freebsd-questions@freebsd.org> Subject: RE: Cable-modem, dynamic IP, NAT and IPFW Message-ID: <0B0368CED76DD4118E1200D0B73E9B5D041E9F8C@MAIL1>
index | next in thread | raw e-mail
[-- Attachment #1 --] > I have set up a test-bench installation at home of FreeBSD > 4.5, cable-modem (with Blueyonder) with dynamic IP, UserPPP (PPPoE) > running NAT, IPFW, BIND, DHCP, Exim, Samba and the Squid > proxy software. The purpose behind the install is to avoid long hours > spent at school trying out new configurations on an otherwise > working live system (static IP, but otherwise similar.) I have a very simmilar working set-up with NTL. > > Having read (and tried to digest) the various HowTos and > mailing list postings re. configuring for dynamic IP, I'm getting no > joy connecting through the cable modem. The NIC MAC address > has been registered with BY. more detail please. Do you get an ip address assigned from your Cable modem via DHCP? > In particular, configuring IPFW for dynamic IP (I have a > working ruleset for fixed IP); which of NATD or UserPPP NAT is > preferable (or easier) to configure/use and how best to > configure the external NIC using the ISC DHCLIENT software. here's a partial ruleset I use that works well for me: 00005 divert 8668 ip from any to any via xl1 00010 allow ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00250 allow udp from 194.168.8.100 53 to any in recv xl1 00260 allow udp from any to 194.168.8.100 53 out xmit xl1 00300 deny ip from 127.0.0.0/8 to any 00400 allow tcp from any to any out xmit xl1 setup 00401 allow tcp from any to any via xl1 established 00450 allow tcp from any to any 22 setup 00500 allow icmp from any to me via xl1 icmptype 0,3,11 00501 deny icmp from any to me via xl1 icmptype 0,8 00502 allow icmp from any to any via xl0 50000 unreach host ip from any to any 65535 deny ip from any to any xl1 is external NIC (to cable modem), xl0 - local NIC. > > Rather than forward all my current configuration files, > please could you advise which are relevant and I'll provide those. rc.conf for now... There is a book I found very useful - FreeBSD Unleashed, ISBN: 0-672-32206-4 These links are quite good for firewall config: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/index.ht ml http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html Hope this helps, Mike This message was written in plain text mode. Everything below the dotted line was not written by the author of this email. ---------------------- =********************************************************** If you are not the intended recipient, employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination or copying of this communication and its attachments is strictly prohibited. If you have received this communication and its attachments in error, please return the original message and attachments to the sender using the reply facility on e-mail. Internet communications are not secure and therefore the UCLES Group does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of the UCLES Group unless otherwise specifically stated. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses although this does not guarantee that this email is virus free. **********************************************************= [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"> <TITLE>RE: Cable-modem, dynamic IP, NAT and IPFW</TITLE> </HEAD> <BODY> <BR> <P><FONT SIZE=2>> I have set up a test-bench installation at home of FreeBSD </FONT> <BR><FONT SIZE=2>> 4.5, cable-modem (with Blueyonder) with dynamic IP, UserPPP (PPPoE)</FONT> <BR><FONT SIZE=2>> running NAT, IPFW, BIND, DHCP, Exim, Samba and the Squid </FONT> <BR><FONT SIZE=2>> proxy software. The purpose behind the install is to avoid long hours</FONT> <BR><FONT SIZE=2>> spent at school trying out new configurations on an otherwise </FONT> <BR><FONT SIZE=2>> working live system (static IP, but otherwise similar.)</FONT> </P> <P><FONT SIZE=2>I have a very simmilar working set-up with NTL.</FONT> </P> <P><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Having read (and tried to digest) the various HowTos and </FONT> <BR><FONT SIZE=2>> mailing list postings re. configuring for dynamic IP, I'm getting no</FONT> <BR><FONT SIZE=2>> joy connecting through the cable modem. The NIC MAC address </FONT> <BR><FONT SIZE=2>> has been registered with BY.</FONT> </P> <P><FONT SIZE=2>more detail please. Do you get an ip address assigned from your Cable modem via DHCP?</FONT> </P> <P><FONT SIZE=2>> In particular, configuring IPFW for dynamic IP (I have a </FONT> <BR><FONT SIZE=2>> working ruleset for fixed IP); which of NATD or UserPPP NAT is</FONT> <BR><FONT SIZE=2>> preferable (or easier) to configure/use and how best to </FONT> <BR><FONT SIZE=2>> configure the external NIC using the ISC DHCLIENT software.</FONT> </P> <P><FONT SIZE=2>here's a partial ruleset I use that works well for me:</FONT> </P> <P><FONT SIZE=2>00005 divert 8668 ip from any to any via xl1</FONT> <BR><FONT SIZE=2>00010 allow ip from any to any via xl0</FONT> <BR><FONT SIZE=2>00100 allow ip from any to any via lo0</FONT> <BR><FONT SIZE=2>00200 deny ip from any to 127.0.0.0/8</FONT> <BR><FONT SIZE=2>00250 allow udp from 194.168.8.100 53 to any in recv xl1</FONT> <BR><FONT SIZE=2>00260 allow udp from any to 194.168.8.100 53 out xmit xl1</FONT> <BR><FONT SIZE=2>00300 deny ip from 127.0.0.0/8 to any</FONT> <BR><FONT SIZE=2>00400 allow tcp from any to any out xmit xl1 setup</FONT> <BR><FONT SIZE=2>00401 allow tcp from any to any via xl1 established</FONT> <BR><FONT SIZE=2>00450 allow tcp from any to any 22 setup</FONT> <BR><FONT SIZE=2>00500 allow icmp from any to me via xl1 icmptype 0,3,11</FONT> <BR><FONT SIZE=2>00501 deny icmp from any to me via xl1 icmptype 0,8</FONT> <BR><FONT SIZE=2>00502 allow icmp from any to any via xl0</FONT> <BR><FONT SIZE=2>50000 unreach host ip from any to any</FONT> <BR><FONT SIZE=2>65535 deny ip from any to any</FONT> </P> <P><FONT SIZE=2>xl1 is external NIC (to cable modem), xl0 - local NIC.</FONT> </P> <P><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Rather than forward all my current configuration files, </FONT> <BR><FONT SIZE=2>> please could you advise which are relevant and I'll provide those.</FONT> </P> <P><FONT SIZE=2>rc.conf for now...</FONT> </P> <P><FONT SIZE=2>There is a book I found very useful - FreeBSD Unleashed, ISBN: 0-672-32206-4 </FONT> </P> <P><FONT SIZE=2>These links are quite good for firewall config:</FONT> </P> <P><FONT SIZE=2><A HREF="http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/index.html" TARGET="_blank">http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/index.html</A></FONT>; <BR><FONT SIZE=2><A HREF="http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html" TARGET="_blank">http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html</A></FONT>; </P> <P><FONT SIZE=2>Hope this helps,</FONT> </P> <P><FONT SIZE=2>Mike</FONT> </P> <BR> <P><FONT SIZE=2>This message was written in plain text mode. </FONT> <BR><FONT SIZE=2>Everything below the dotted line was not </FONT> <BR><FONT SIZE=2>written by the author of this email. </FONT> <BR><FONT SIZE=2>---------------------- </FONT> </P> <CODE><FONT SIZE=3><BR> <BR> =**********************************************************<BR> <BR> If you are not the intended recipient, employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination or copying of this communication and its attachments is strictly prohibited.<BR> <BR> If you have received this communication and its attachments in error, please return the original message and attachments to the sender using the reply facility on e-mail.<BR> <BR> Internet communications are not secure and therefore the UCLES Group does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of the UCLES Group unless otherwise specifically stated.<BR> <BR> This footnote also confirms that this email message has been swept by<BR> MIMEsweeper for the presence of computer viruses although this does not guarantee that this email is virus free.<BR> <BR> **********************************************************=<BR> </FONT></CODE> </BODY> </HTML>help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0B0368CED76DD4118E1200D0B73E9B5D041E9F8C>