From owner-freebsd-questions  Fri Oct  8 12:52: 0 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from misha.cisco.com (misha.cisco.com [171.69.206.50])
	by hub.freebsd.org (Postfix) with ESMTP id E0719153FF
	for <questions@freebsd.org>; Fri,  8 Oct 1999 12:51:55 -0700 (PDT)
	(envelope-from mi@misha.cisco.com)
Received: (from mi@localhost)
	by misha.cisco.com (8.9.3/8.9.1) id PAA57289;
	Fri, 8 Oct 1999 15:51:48 -0400 (EDT)
	(envelope-from mi)
Message-Id: <199910081951.PAA57289@misha.cisco.com>
Subject: Re: natd, ftp, two ethernet cards
In-Reply-To: <99100722400700.00924@s097-cdm44.amar.tcac.net> from Joe Huddleston
 at "Oct 7, 1999 10:37:13 pm"
To: Joe Huddleston <huddles@tcac.net>
Date: Fri, 8 Oct 1999 15:51:48 -0400 (EDT)
Cc: questions@freebsd.org
Reply-To: mi@aldan.algebra.com
From: Mikhail Teterin <mi@aldan.algebra.com>
X-Mailer: ELM [version 2.4ME+ PL60 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Joe Huddleston once wrote:

> I am trying  to set up a  firewall for my home network,  and am having
> problems with natd and ipfw. Would it  be possible for you to email me
> a quick overview of what you did to get your gateway working?

1. Your  in-house lan  must use  one of  the designated  private network
numbers (see RFC 1918):

		10.0.0.0        -   10.255.255.255
		172.16.0.0      -   172.31.255.255
		192.168.0.0     -   192.168.255.255

This simplifies things  tremendously, because natd knows  about this and
needs no special tweaking in this case.

2. All of your private machines need to have the gateway machine as their
default router (this is almost always the case).

3. Now here is my example. My gateway machine has two interfaces:
	ep0 - 10.10.0.2 - on the private LAN
	ep1 - 24.218.x.x - to the cable modem

The relevant firewall rule is:
	ipfw -q add divert natd tcp from any to any via ep1

This means,  that anything that  tries to get  out to the  outside world
should  be  diverted  to  the  natd-service,  where  the  NAT-daemon  is
listening.

The natd's command line is "natd -n ep1 -u -s". That's it.

4. To do this nicely, through the /etc/rc.conf, I would:
	natd_enable="YES"
	natd_interface="ep1"
	natd_flags="-u -s"
	firewall_enable="YES"
	
5. I strongly  urge you to set  up other firewall rules  to protect your
LAN. The  amount of probes my  firewall reports sometimes shocks  me. It
will also  help keep  your curious Internet  provider from  figuring out
what OS  you are  running --  there are reports  of @Home,  for example,
checking this and denying support to  anything other then Windoz or MAC.
Consult /etc/rc.firewall for more...

Hope, this helps. Yours,

	-mi

P.S. I'm  CC-ing this to  questions, so that  it is archived  for future
generations :)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message