From owner-freebsd-questions  Fri Jul  7  9: 5:18 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from ifta.accelnet.com (ifta.net [204.58.140.252])
	by hub.freebsd.org (Postfix) with ESMTP id 6F4ED37C10D
	for <freebsd-questions@FreeBSD.ORG>; Fri,  7 Jul 2000 09:05:03 -0700 (PDT)
	(envelope-from cstrickl@ifta.net)
Received: from a937cc5ze020 (ifta02.accelnet.com [204.58.141.2])
	by ifta.accelnet.com (8.9.3/8.9.1) with SMTP id JAA02160
	for <freebsd-questions@FreeBSD.ORG>; Fri, 7 Jul 2000 09:06:17 -0700 (PDT)
Received: by localhost with Microsoft MAPI; Fri, 7 Jul 2000 08:59:42 -0700
Message-ID: <01BFE7F1.B0943220.cstrickl@ifta.net>
From: Carl Strickler <cstrickl@ifta.net>
To: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG>
Subject: More IPFW questions
Date: Fri, 7 Jul 2000 08:59:41 -0700
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

This may sound redundant to what has already been asked, and I have read the "fine" manuals
at this point, but as this could sever my company's connection to the internet if I do this wrong
I thought it best to make sure first.  :]

The situation as it stands is that we have been assigned 25 ip addresses by our service provider 
and have a T-1 connection to the internet.  Those IP's are then assigned by DHCP to the machines.
Right now we only have about 28 machines that access the internet so it's fine, but we will 
be moving to about 100 in a short while so I need to get IP aliasing working.

In order to do so, as I understand it I would need to simply add:

natd_enable="YES"                # Enable natd (if firewall_enable == YES).
natd_interface="fxp1"           # Public interface or IPaddress to use.
natd_flags=""                   # Additional flags for natd.

to rc.conf

put:

ipfw add 100 divert natd all from any to any via fxp1

at the beginning of rc.firewall

And change dhcpd.conf to read:

server-identifier ifta.XXXXXXX.com;
option domain-name "XXXXXXX.com";
option domain-name-servers XXX.58.140.1, XXX.58.140.2;
option routers XXX.58.141.1;

default-lease-time 604800;
max-lease-time 2592000;

shared-network IFTA {
  subnet 10.10.10.0 netmask 255.255.255.0  
  range 10.10.10.2 10.10.10.254;
  }
}

shared-network WORLD {
  subnet XXX.58.140.0 netmask 255.255.255.0 {
  }
}


NOTE: The kernel has already been configured with IPFIREWALL and IPDIVERT.

QUESTIONS: Right now the firewall denies traffic from the outside with a 10.0.0.0/8 address.
Can I use the line:

ipfw add 1500 deny log ip from 10.0.0.0/8 to any in recv fxp1

to make this keep happening or will that deny my own packets?

Question 2: The client machines are Win9x.  Is their any configuration that I have to do on them
to make it so they can get out (i.e. Browse the web)?

Thanks,
Carl 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message