Date: Mon, 09 Jan 2006 00:14:54 -0500 From: Brian Bobowski <bbobowski@gmail.com> To: FreeBSD User Questions List <freebsd-questions@freebsd.org> Subject: Setting up a FreeBSD gateway (more detail) and IPFW Message-ID: <43C1F14E.3010808@gmail.com> In-Reply-To: <43BC097C.4000401@gmail.com> References: <43BC097C.4000401@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks to those who replied to my previous call for help. Now I think it's time I actually provide some relevant detail. I've got two computers - one is my workstation, one is my server / gateway-to-be. My outside connection is via a hub to a cable modem; currently I have my workstation rigged directly to it with no problems. I'll go over what I've done so far, and hope that if I've made a glaring error someone will be able to point it out. - I have two NICs: ed0 and rl0. ed0 will be connected to my workstation, rl0 to the hub and thence the Internet. - I've configured a custom kernel per the directions in the handbook on NAT - that is, IPFIREWALL and IPDIVERT are in there. - I have the various options set in rc.conf, with natd_interface="rl0". - To set up the NICs, I have ifconfig_ed0="192.168.0.1" and ifconfig_rl0="DHCP". I'll set my workstation to use 192.168.0.2 if I can figure out why it's locking my NIC / IP settings(that's a WinXP issue). - In my named.conf, under forwarders, I set one of my ISP's DNS servers. (Is it possible, and if so, beneficial, to put more than one entry there? My ISP gives me four.) I'm only running a caching DNS, so I otherwise left named.conf alone. - I've run the make-localhost script in /etc/namedb. - I've put named_enable="YES" in rc.conf as well. Ideally, I'd like to be able to leave my workstation's network settings alone, and set up DHCP; however, a look over the ports suggests that's far more trouble than it's worth for a single client that doesn't really need such flexibility. I don't have any servers running on my workstation, so I've no need to allow traffic from the 'net to get through the firewall to the LAN(servers on the gateway itself are another matter). However, the firewall is still my biggest challenge. To get set up and running, since I don't currently know the ports for every single thing I might use(and some things I telnet to are on nonstandard ports anyway) I'm probably going to use the example ruleset #2 for IPFW with NAT, except that until such time as I know a little more detail about what I need to block, I'll be assuming that anything from the workstation is good traffic. That rule, however, is causing me some concern, and I'd like to confirm that it has a good chance of working before I go to the smoke test. Thus, inserting at the appropriate point into the last example given on http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html the best I can cobble together is: $cmd allow all from 192.168.0.2 to any out via $pif setup keep-state Will this allow my workstation unhindered access to the Internet without opening it to every single inbound port? I'm a little confused here. I don't think I need anything but Apache (i.e. port 80 TCP) and SSL (22 TCP) inbound; the MySQL server is strictly internal, so the stock ruleset otherwise seems pretty good to me. I can open up secure HTTP if I get that working, based on the rules already there. Please send replies directly to me. Thanks in advance, -BB
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43C1F14E.3010808>