RE: Cable-modem, dynamic IP, NAT and IPFW

From owner-freebsd-questions Wed Mar 27 6:48:59 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail3.ucles.org.uk (mail3.ucles.org.uk [192.149.119.13]) by hub.freebsd.org (Postfix) with ESMTP id 5225937B41B for ; Wed, 27 Mar 2002 06:48:43 -0800 (PST) Received: from mail3.ucles.org.uk (unverified) by mail3.ucles.org.uk (Content Technologies SMTPRS 4.2.5) with ESMTP id ; Wed, 27 Mar 2002 14:45:20 +0000 Received: by forest.nrl.navy.mil with Internet Mail Service (5.5.2653.19) id ; Wed, 27 Mar 2002 14:45:20 -0000 Message-ID: <0B0368CED76DD4118E1200D0B73E9B5D041E9F8C@MAIL1> From: Mike Dewhirst To: 'Martyn Hill' , FreeBSD-questions Subject: RE: Cable-modem, dynamic IP, NAT and IPFW Date: Wed, 27 Mar 2002 14:45:30 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C1D59E.0A893DC0" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1D59E.0A893DC0 Content-Type: text/plain; charset="iso-8859-1" > I have set up a test-bench installation at home of FreeBSD > 4.5, cable-modem (with Blueyonder) with dynamic IP, UserPPP (PPPoE) > running NAT, IPFW, BIND, DHCP, Exim, Samba and the Squid > proxy software. The purpose behind the install is to avoid long hours > spent at school trying out new configurations on an otherwise > working live system (static IP, but otherwise similar.) I have a very simmilar working set-up with NTL. > > Having read (and tried to digest) the various HowTos and > mailing list postings re. configuring for dynamic IP, I'm getting no > joy connecting through the cable modem. The NIC MAC address > has been registered with BY. more detail please. Do you get an ip address assigned from your Cable modem via DHCP? > In particular, configuring IPFW for dynamic IP (I have a > working ruleset for fixed IP); which of NATD or UserPPP NAT is > preferable (or easier) to configure/use and how best to > configure the external NIC using the ISC DHCLIENT software. here's a partial ruleset I use that works well for me: 00005 divert 8668 ip from any to any via xl1 00010 allow ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00250 allow udp from 194.168.8.100 53 to any in recv xl1 00260 allow udp from any to 194.168.8.100 53 out xmit xl1 00300 deny ip from 127.0.0.0/8 to any 00400 allow tcp from any to any out xmit xl1 setup 00401 allow tcp from any to any via xl1 established 00450 allow tcp from any to any 22 setup 00500 allow icmp from any to me via xl1 icmptype 0,3,11 00501 deny icmp from any to me via xl1 icmptype 0,8 00502 allow icmp from any to any via xl0 50000 unreach host ip from any to any 65535 deny ip from any to any xl1 is external NIC (to cable modem), xl0 - local NIC. > > Rather than forward all my current configuration files, > please could you advise which are relevant and I'll provide those. rc.conf for now... There is a book I found very useful - FreeBSD Unleashed, ISBN: 0-672-32206-4 These links are quite good for firewall config: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/index.ht ml http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html Hope this helps, Mike This message was written in plain text mode. Everything below the dotted line was not written by the author of this email. ---------------------- =********************************************************** If you are not the intended recipient, employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination or copying of this communication and its attachments is strictly prohibited. If you have received this communication and its attachments in error, please return the original message and attachments to the sender using the reply facility on e-mail. Internet communications are not secure and therefore the UCLES Group does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of the UCLES Group unless otherwise specifically stated. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses although this does not guarantee that this email is virus free. **********************************************************= ------_=_NextPart_001_01C1D59E.0A893DC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: Cable-modem, dynamic IP, NAT and IPFW

> I have set up a test-bench installation at home of F= reeBSD
> 4.5, cable-modem (with Blueyonder) with dynamic IP,= UserPPP (PPPoE)
> running NAT, IPFW, BIND, DHCP, Exim, Samba and the = Squid
> proxy software. The purpose behind the install is t= o avoid long hours
> spent at school trying out new configurations on an= otherwise
> working live system (static IP, but otherwise simil= ar.)

I have a very simmilar working set-up with NTL.

>
> Having read (and tried to digest) the various HowTo= s and
> mailing list postings re. configuring for dynamic I= P, I'm getting no
> joy connecting through the cable modem. The NIC MAC= address
> has been registered with BY.

more detail please. Do you get an ip address assigned fro= m your Cable modem via DHCP?

> In particular, configuring IPFW for dynamic IP (I ha= ve a
> working ruleset for fixed IP); which of NATD or Use= rPPP NAT is
> preferable (or easier) to configure/use and how bes= t to
> configure the external NIC using the ISC DHCLIENT s= oftware.

here's a partial ruleset I use that works well for me:

00005 divert 8668 ip from any to any via xl1
00010 allow ip from any to any via xl0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00250 allow udp from 194.168.8.100 53 to any in recv xl1=
00260 allow udp from any to 194.168.8.100 53 out xmit xl= 1
00300 deny ip from 127.0.0.0/8 to any
00400 allow tcp from any to any out xmit xl1 setup
00401 allow tcp from any to any via xl1 established
00450 allow tcp from any to any 22 setup
00500 allow icmp from any to me via xl1 icmptype 0,3,11<= /FONT>
00501 deny icmp from any to me via xl1 icmptype 0,8
00502 allow icmp from any to any via xl0
50000 unreach host ip from any to any
65535 deny ip from any to any

xl1 is external NIC (to cable modem), xl0 - local NIC.

>
> Rather than forward all my current configuration fi= les,
> please could you advise which are relevant and I'll= provide those.

rc.conf for now...

There is a book I found very useful - FreeBSD Unleashed, = ISBN: 0-672-32206-4

These links are quite good for firewall config:

http://www.freebsd.org/= doc/en_US.ISO8859-1/articles/dialup-firewall/index.html
http://www.freebsd.org/doc/e= n_US.ISO8859-1/books/handbook/firewalls.html

Hope this helps,

Mike

This message was written in plain text mode.
Everything below the dotted line was not
written by the author of this email.
----------------------





=3D**********************************************************



If you are not the intended recipient, employee or agent responsible for de=
livering the message to the intended recipient, you are hereby notified tha=
t any dissemination or copying of this communication and its attachments is=
 strictly prohibited.



If you have received this communication and its attachments in error, pleas=
e return the original message and attachments to the sender using the reply=
 facility on e-mail.



Internet communications are not secure and therefore the UCLES Group does n=
ot accept legal responsibility for the contents of this message.  Any views=
 or opinions presented are solely those of the author and do not necessaril=
y represent those of the UCLES Group unless otherwise specifically stated.<=
BR>


This footnote also confirms that this email message has been swept by

MIMEsweeper for the presence of computer viruses although this does not gua=
rantee that this email is virus free.



**********************************************************=3D

------_=_NextPart_001_01C1D59E.0A893DC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message