Date: Thu, 15 Mar 2001 15:14:29 -0600 From: "SF" <lists@stevenfettig.com> To: "Rick Knebel" <rknebel@uplink.net> Cc: <questions@freebsd.org> Subject: Re: natd Message-ID: <001501c0ad95$a38ad150$0100a8c0@MOBILE2> References: <Pine.BSF.4.21.0103132041380.20395-100000@cody.jharris.com> <p05001900b6d5182ec257@[192.168.1.2]>
next in thread | previous in thread | raw e-mail | index | archive | help
Rick, Try following the directions given at http://www.mostgraveconcern.com/freebsd/ipfw.html - I found them to be especially helpful. Instead of using his firewall example, however, (because it blocked things which wouldn't allow access I wanted open), I only have the following set up in rc.ipfw (with the necessary changes to my IP's, interface names and DNS IP's): # rc.ipfw - Firewall Rules # # This file is a modified version of /etc/rc.firewall. # # Maintained by: D. O'Connor # Modified: 7/18/2000. # # I further modified his original found at http://www.mostgraveconcern.com/freebsd/ipfw.html # to fit my specific needs - SF 03/12/2001 # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi # Firewall program fwcmd="/sbin/ipfw" # Outside interface network and netmask and ip oif="dc0" onet="123.45.67.0" omask="255.255.252.0" oip="123.45.67.89" # Inside interface network and netmask and ip iif="ep0" inet="10.20.155.0" imask="255.255.255.0" iip="10.20.155.1" # My ISP's DNS servers dns1="123.45.67.8" dns2="98.76.54.123" # Flush previous rules ${fwcmd} -f flush # Allow loopbacks, deny imposters ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. ${fwcmd} add divert natd all from any to any via ${natd_interface} ### TCP RULES # SMTP - Allow access to sendmail for incoming e-mail ${fwcmd} add pass tcp from any to any 25 setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup ### UDP RULES # DNS - Allow queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 ${fwcmd} add pass udp from any to ${dns2} 53 ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any # SYSLOG - Allow machines on inside net to log to us. ${fwcmd} add pass log udp from any to any 514 via ${iif} # NTP - Allow queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${oif} ${fwcmd} add pass udp from any 123 to any via ${iif} ${fwcmd} add pass udp from any to any 123 via ${iif} # TRACEROUTE - Allow outgoing ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface ${fwcmd} add pass icmp from any to any via ${iif} # Allow outgoing pings ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add deny icmp from any to any ### MISCELLANEOUS REJECT RULES # Reject broadcasts from outside interface ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} # Reject&Log SMB connections on outside interface ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. This config gives me what I consider to be an unprotected opening to the outside world (and from the outside in), but my main purpose was to set up NAT on my BSD box. You need to make sure to recompile the kernel using the options specified in the link I left here. It has worked fine for me... Hope this helps. SF ----- Original Message ----- From: "Rick Knebel" <rknebel@uplink.net> To: "Nick Rogness" <nick@rogness.net> Cc: <questions@freebsd.org> Sent: Wednesday, March 14, 2001 6:45 AM Subject: Re: natd > >On Tue, 13 Mar 2001, Rick Knebel wrote: > > > >> Hi, > >> > >> Right now I am using user ppp with the nat flag to allow my other > >> machines to get out on the internet through my bsd box. > >> > >> I want to start using kernel ppp and natd to do the same thing. > >> > >> I read through everything about it in the freebsd hanbook and the > >> Complete FreeBsd book. > >> <snip> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001501c0ad95$a38ad150$0100a8c0>