Date: Sat, 11 Dec 2004 00:46:00 -0500 From: David Banning <david+dated+1103175964.6c6a4d@skytracker.ca> To: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz> Cc: questions@freebsd.org Subject: Re: gateway_enable question Message-ID: <20041211054600.GB16388@skytracker.ca> In-Reply-To: <41BA651B.1020905@daleco.biz> References: <20041210013055.GA49697@skytracker.ca> <41B92C8C.8050407@yahoo.com> <20041210202014.GA12902@skytracker.ca> <41BA651B.1020905@daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
> Lots of guys have suggested the firewall. On ipfw, that'd be
> something like (put your rule number for N and sub your network
> in for 192.168.0):
>
> add <<N>> deny ip from any 192.168.0/24 to any out via tun0
>
> (I'm assuming your PPP uses the first tunnel device?)
Not sure what the -first- tunnel device is;
------------------------
root# ifconfig
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::220:78ff:fe0e:13d6%dc0 prefixlen 64 scopeid 0x1
ether 00:20:78:0e:13:d6
media: Ethernet autoselect (10baseT/UTP)
status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 209.161.205.12 netmask 0xffffff00 broadcast 209.161.205.255
inet6 fe80::248:54ff:fe8c:13e5%rl0 prefixlen 64 scopeid 0x2
ether 00:48:54:8c:13:e5
media: Ethernet autoselect (10baseT/UTP)
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff000000
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet 209.161.205.12 --> 207.136.64.4 netmask 0xffffffff
Opened by PID 10689
----------------------------
My ppp.conf sets rl0
> In another portion of this thread you stated:
>
> >On the firewall it is difficult to block the win boxes because I -want-
> >each machine to be able to contact each other, but I don't want the
> >windows boxes to have internet connection.
>
> Now, that seems a little weird. Do you not have a hub or switch
> other than the BSD box on this network? Unless you're doing
> some strange routing or something, everybody on the wire
> ought to see everybody else regardless of the settings on the
> firewall (except they maybe won't see *it* ...)
DSL Modem <> BSD Box <> HUB <> All win boxes
Everyone does see each other. I just don't want the win boxes to
see the internet; but I -do- want them to continue to see each other.
--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041211054600.GB16388>