Date: Thu, 18 Mar 1999 22:28:28 -0800 From: Ludwig Pummer <ludwigp@bigfoot.com> To: freebsd-questions <freebsd-questions@FreeBSD.org> Subject: Re: Simple FIREWALL Message-ID: <4.1.19990318221137.00a9fee0@mail-r> In-Reply-To: <36F1E189.DB9D7961@tampabay.rr.com> References: <Pine.BSF.4.05.9902182301050.346-100000@stardust.bzzzz.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian Budnick wrote: > I am running FreeBSD 3.1-RELEASE on a K6/166 that has 2 ethernet cards in > it. The ethernet cards are setup as follows: > > ed1: ip: 209.90.111.199 netmask: 255.255.255.192 > pn0: ip: 10.0.0.1 netmask: 255.255.255.0 > > I'm trying to get a simple firewall up to protect several computers on our > network. I want it so that whenever we access the web from like 10.0.0.2 > it goes thru 10.0.0.1 and then that machine will be the gateway to the > Internet. I want to be able to have access to Telnet/FTP/WWW/IRC from > the 10.0.0.2 machines, etc. The 10.0.0.0/8 subnet is special. see below. > I did the following to the server 209.90.111.199 to get it to work: > > /etc/defaults/rc.conf (looks as follows): > > <snip> > > ### Network routing options: ### > defaultrouter="NO" # Set to default gateway (or NO). This NO needs to be changed to the IP of your gateway. > gateway_enable="YES" # Set to YES if this host will be agateway. Good. > hostname="myname.my.domain" # Set this! Set this! > firewall_enable="YES" # Set to YES to enable firewall functionality > firewall_type="simple" # Firewall type (see /etc/rc.firewall) > firewall_quiet="NO" # Set to YES to suppress rule display OK. > natd_enable="NO" # Enable natd (if firewall_enable == YES). > natd_interface="fxp0" # Public interface to use with natd. > natd_flags="" # Additional flags for natd. You're going to want to read the natd manpage and then set natd_enable to YES as well as set the other natd_ settings. > tcp_extensions="NO" # Disallow RFC1323 extensions (or YES). > network_interfaces="lo0" # List of network interfaces (lo0 is loopback). > ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. You need to add the other interfaces in here. Examples: network_interfaces="lo0 ed1 pn0" ifconfig_ed1="inet 209.90.111.199 netmask 255.255.255.192" ifconfig_pn0="inet 10.0.0.1 netmask 255.255.255.0" > --- > > in my /etc/rc.firewall (under the simple section my configuration reads): > > # set these to your outside interface network and netmask and ip > oif="ed1" > onet="209.90.111.199/24" > omask="255.255.255.192" > oip="209.90.111.199" > > # set these to your inside interface network and netmask and ip > iif="pn0" > inet="10.0.0.1/24" > imask="255.255.255.0" > iip="10.0.0.1" <<snip>> NATD alters packets' source or destination IPs after it receives them, so your firewall rules _may_ need to be changed. >> On Bootup when it displays the rulesets it seems to have a problem with >> one of them but i'm not sure which one. do 'ipfw list' from the command prompt and look at your rc.firewall and see which rule is missing >> i tried to setup a work station as follows: >> ip: 10.0.0.2 >> subnetmask: 255.255.255.0 >> gateway: 10.0.0.1 >> >> i could ping 10.0.0.1, of course i couldn't ping outside our network, but >> I couldn't telnet, i couldn't do web, or irc, or anything... The 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 subnets are special, "unregistered" subnets, specified as such by RFC 1918. This means that no organization or person may have a network using these IPs connected directly to the Internet without going through some kind of proxy or firewall. The reason is that there are no routes set up for these subnets. So your telnet, http, or irc traffic goes out, but not back. What NATD does (in a nutshell) is it listens on your outside network interface, waiting for packets bound for the Internet to come through. When they do, it alters them so that they appear to be coming from your gateway machine (209.90.111.199). The packets go out to the internet, and then some server responds and the packets come back to 209.90.111.199. NATD sees the packets come in on 209.90.111.199 from that server, remembers that it sent stuff to that server earlier from 10.0.0.2, then alters the packets so that the destination address is 10.0.0.2, and sends them on their way to 10.0.0.2. So... read 'man natd', make changes to your rc.conf like I suggested above, and let us know if you still have trouble. --Ludwig Pummer ( ludwigp@bigfoot.com ) ICQ UIN: 692441 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990318221137.00a9fee0>