Date: Thu, 22 Jan 2004 11:25:42 -0700 From: James Earl <jearl@telus.net> To: Rishi Chopra <rchopra@cal.berkeley.edu> Cc: freebsd-questions@freebsd.org Subject: Re: Port Forwarding Message-ID: <1074795942.57363.79.camel@work> In-Reply-To: <400FBA0B.5010606@cal.berkeley.edu> References: <400C44D8.6010408@cal.berkeley.edu> <1074547363.889.16.camel@work> <400CA94F.2040807@cal.berkeley.edu> <1074618156.8101.21.camel@work> <400FBA0B.5010606@cal.berkeley.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
If the variables for the 'SIMPLE' rules are setup properly, 'SIMPLE' should be no different than using 'OPEN' from your win2k's perspective. This is assuming you don't have a broken rc.firewall file. Looking at your original post, your sample was missing the 'onet' variable. # set these to your outside interface network and netmask and ip oif="rl0" onet="???.???.???.???" omask="255.255.255.0" <-- make sure this is right!!! oip="me" # set these to your inside interface network and netmask and ip iif="rl1" inet="192.168.0.1" imask="255.255.255.0" iip="192.168.0.1" Also, you shouldn't be using IPFIREWALL_DEFAULT_TO_ACCEPT in your kernel configuration. I use: options IPFIREWALL options IPFIREWALL_VERBOSE options IPDIVERT Also see IPFIREWALL_VERBOSE_LIMIT in the firewall section of the Handbook. IPFIREWALL_VERBOSE allows you to get helpfull information in /var/log/security. If you are having troubles with connectivity, look in /var/log/security to see if it shows what's being blocked and by what rule. Hope this helps. James On Thu, 2004-01-22 at 04:54, Rishi Chopra wrote: > James, > > I've configured my Win2k box to contact DNS directly, and both Direct > Connect and VNC Server are running smoothly (port forwarding is being > accomplished (per your suggestion) by natd.conf). > > I've set the firewall type to 'OPEN' (the Win2k client has ZoneAlarm > protection of its own); this is truly the only sticking point. I'm > under the impression that selecting 'SIMPLE' rather than 'OPEN' provides > an additional layer of protection to the gateway by preventing certain > spoofing attacks. Unfortunately, I seem unable to switch the firewall > type without crippling my Win2k box's functionality. Perhaps I'll give > it a go again sometime in the future. > > > Here's a copy of the relevant files: > > //natd.conf > > unregistered_only > interface rl0 > use_sockets > dynamic > redirect_port tcp 192.168.0.2:5800 5800 > redirect_port tcp 192.168.0.2:5900 5900 > redirect_port tcp 192.168.0.2:412 412 > redirect_port tcp 192.168.0.2:1412 1412 > punch_fw 2000:50 > > //rc.conf > > gateway_enable="YES" > hostname="usha.dyndns.org" > ifconfig_rl0="DHCP" > ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" > kern_securelevel_enable="NO" > firewall_enable="YES" > firewall_type="OPEN" > # firewall_type="SIMPLE" > firewall_quiet="NO" > natd_enable="YES" > natd_interface="rl0" > natd_flags="-f /etc/natd.conf" > linux_enable="YES" > sendmail_enable="NO" > sshd_enable="YES" > > -R
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1074795942.57363.79.camel>