Date: Fri, 18 Jul 2003 11:00:27 +0300 From: "Vitali Malicky" <life@zone3000.net> To: "Frans-Jan v. Steenbeek" <FST777@phreaker.net>, <freebsd-questions@freebsd.org> Subject: Re: building a routing machine Message-ID: <003801c34d02$a679f670$2401010a@zone3000.net> References: <1058500610.260.8.camel@FST777>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi folks,
hi, man.
>
> I've enabled routed on both systems, (-s on the webserver, -q on the
it not necessary at all!
set your default router in rc.conf (ask your University admin about its IP)
you just look at "sysctl -a net.inet.ip.forwarding"
if it equals "0" then "sysctl -w net.inet.ip.forwarding=1"
(in rc.conf this variable is set by gateway_enable="YES")
then you need a natd
just "touch /etc/natd.conf" and edit it so that it contained something like
log yes
#log_denied yes
port 8668
use_sockets yes
same_ports yes
unregistered_only yes
alias_address ???.???.???.??? #your PUBLIC IP
###
#EOF
###
run natd "/sbin/natd -f /etc/natd.conf &"
edit /etc/rc.firewall to contain approximately the following
#!/bin/sh
/bin/echo -n "Firewall... "
#################### Flush All Chains And Pipes ########################
 /sbin/ipfw -q -f flush
 /sbin/ipfw -q -f pipe flush
#################### lo0 ###########################################
 /sbin/ipfw -q add 00001 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
#################### public #########################################
/sbin/ipfw -q add 00002 divert natd all from any to any in recv fxp0 #change
fxp0 to your NIC name
/sbin/ipfw -q add 00003 divert natd all from any to any out xmit fxp0
#change fxp0 to your NIC name
#################### Firewall (icmp) ###################################
# /sbin/ipfw -q add 65527 deny icmp from any to ${LocalNET}
# /sbin/ipfw -q add 65528 deny icmp from ${LocalNET} to any
 /sbin/ipfw -q add 65529 allow icmp from any to any
#################### Firewall Logging ###########################
 /sbin/ipfw -q add 65530 deny log all from any to any ipopt rr
 /sbin/ipfw -q add 65531 deny log all from any to any ipopt ts
 /sbin/ipfw -q add 65532 deny log all from any to any ipopt ssrr
 /sbin/ipfw -q add 65533 deny log all from any to any ipopt lsrr
 /sbin/ipfw -q add 65534 deny log all from any to any
############
echo " configured."
###
(this is a fragment of my ip.firewall which is too long to quote here...)
and execute the file (chmod 500 rc.firewall, you know, first... ;))
it should work. if not, ufff... than you will have to rebuild the FBSD
kernel with IPDIVERT, IPFIREWALL and things, and things, and things... and
repeat the said above...
I envy you if you're gonna do the kernel rebuid for the first time :) it's a
fascinating, absorbing and captivating procedure like playing chess with a
very strong chessplayer :)
see here
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-confi
g.html
and good luck!!!
--
Error Code=-1 Continue?
              Yes | No
--
> desktop) but that doesn't seem to be enough. I've read something about
> routing and gateways in the handbook, but I didn't quite get it. So can
> anyone help me out?
>
> Please CC me, I'm not (anymore) a user on this list. Thanks!
>
> --
> tcGB <>< Fi-Ji ><>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003801c34d02$a679f670$2401010a>
