From owner-freebsd-questions Wed Jan 16 17:38:47 2002 Delivered-To: freebsd-questions@freebsd.org Received: from tomts17-srv.bellnexxia.net (tomts17.bellnexxia.net [209.226.175.71]) by hub.freebsd.org (Postfix) with ESMTP id F04D437B400 for ; Wed, 16 Jan 2002 17:38:35 -0800 (PST) Received: from prayforwind.com ([64.231.164.72]) by tomts17-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20020117013835.MLKX16289.tomts17-srv.bellnexxia.net@prayforwind.com> for ; Wed, 16 Jan 2002 20:38:35 -0500 Received: from prayforwind.com (localhost [127.0.0.1]) by prayforwind.com (8.11.6/8.11.6) with ESMTP id g0H1cX300407 for ; Wed, 16 Jan 2002 20:38:34 -0500 (EST) (envelope-from freebsd@prayforwind.com) Message-ID: <3C462B19.10005@prayforwind.com> Date: Wed, 16 Jan 2002 20:38:33 -0500 From: Steve Brown User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.6) Gecko/20011222 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-questions Subject: Converting dialup firewall to DHCP Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello there, I succeeded in putting together a firewall thanks to this article: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/index.html works great over dialup or PPPoE. But now I'm on a BB router (DHCP) and it no longer works. (on boot I get lots of "warning: tun0 does not exist" errors) How do I convert it for use with DHCP? Here's what I've got: in kernel config: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 # number logs kept,pick num options IPDIVERT in /etc/rc.conf: firewall_enable="YES" firewall_script="/etc/firewall/fwrules" natd_enable="YES" natd_interface="tun0" natd_flags="-dynamic" here's /etc/firewall/fwrules: # Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all data from my network card and localhost. Make sure you # change your network card (mine was vr0) before you reboot. :) $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via vr0 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via tun0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example specifically allows connections # to ssh and apache. $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow tcp from any to any 22 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv tun0 # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to xxx.xxx.xxx.xxx 53 out xmit tun0 $fwcmd add allow udp from any to yyy.yyy.yyy.yyy 53 out xmit tun0 # Allow them back in with the answers... :) $fwcmd add allow udp from xxx.xxx.xxx.xxx 53 to any in recv tun0 # Allow NTP $fwcmd add allow udp from any to aaa.aaa.aaa.aaa 123 out xmit tun0 $fwcmd add allow udp from any to bbb.bbb.bbb.bbb 123 out xmit tun0 $fwcmd add allow udp from aaa.aaa.aaa.aaa to any in recv tun0 $fwcmd add allow udp from bbb.bbb.bbb.bbb to any in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add 65435 allow icmp from any to any # Deny all the rest. $fwcmd add 65435 deny log ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message