From owner-freebsd-questions  Thu Jan 17 13:50:54 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from smtp1.mx.pitdc1.stargate.net (smtp1.mx.pitdc1.stargate.net [206.210.69.141])
	by hub.freebsd.org (Postfix) with SMTP id D365737B41F
	for <freebsd-questions@freebsd.org>; Thu, 17 Jan 2002 13:50:14 -0800 (PST)
Received: (qmail 7144 invoked from network); 17 Jan 2002 21:50:06 -0000
Received: from dap-209-166-133-235.nfas.greensburg-tnt-2.sns234.pa.stargate.net (HELO wastegate.net) (209.166.133.235)
  by smtp1.mx.pitdc1.stargate.net with SMTP; 17 Jan 2002 21:50:06 -0000
Received: from mother.wastegate.net (mother.wg.local [192.168.1.2])
	by wastegate.net (Postfix) with SMTP
	id 2A1FB48449; Thu, 17 Jan 2002 16:50:29 -0500 (EST)
From: "Doug Reynolds" <mav@wastegate.net>
To: "freebsd-questions" <freebsd-questions@freebsd.org>,
	"Steve Brown" <freebsd@prayforwind.com>
Date: Thu, 17 Jan 2002 16:52:20 -0500
Reply-To: "Doug Reynolds" <mav@wastegate.net>
X-Mailer: PMMail 2000 Professional (2.20.2380) For Windows 98 (4.10.2222)
In-Reply-To: <3C462B19.10005@prayforwind.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: Converting dialup firewall to DHCP
Message-Id: <20020117215029.2A1FB48449@wastegate.net>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Wed, 16 Jan 2002 20:38:33 -0500, Steve Brown wrote:

>Hello there,
>
>I succeeded in putting together a firewall thanks to this article:
>
>http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/index.html
>
>works great over dialup or PPPoE.
>
>But now I'm on a BB router (DHCP) and it no longer works. (on boot I get 
>lots of "warning: tun0 does not exist" errors) How do I convert it for 
>use with DHCP?

you'll have to change all the tun0 entries to the network interface you
have your dhcp connected to..

>Here's what I've got:
>in kernel config:
>    options               IPFIREWALL
>    options               IPFIREWALL_VERBOSE
>    options               IPFIREWALL_VERBOSE_LIMIT=100 # number logs 
>kept,pick num
>    options               IPDIVERT
>in /etc/rc.conf:
>    firewall_enable="YES"
>    firewall_script="/etc/firewall/fwrules"
>    natd_enable="YES"
>    natd_interface="tun0"

here

>    natd_flags="-dynamic"
>here's /etc/firewall/fwrules:
>    # Firewall rules
>    # Written by Marc Silver (marcs@draenor.org)
>    # http://draenor.org/ipfw
>    # Freely distributable
>
>
>    # Define the firewall command (as in /etc/rc.firewall) for easy
>    # reference.  Helps to make it easier to read.
>    fwcmd="/sbin/ipfw"
>   
>    # Force a flushing of the current rules before we reload.
>    $fwcmd -f flush
>
>    # Divert all packets through the tunnel interface.
>    $fwcmd add divert natd all from any to any via tun0
>
>    # Allow all data from my network card and localhost.  Make sure you
>    # change your network card (mine was vr0) before you reboot.  :)
>    $fwcmd add allow ip from any to any via lo0
>    $fwcmd add allow ip from any to any via vr0
>
>    # Allow all connections that I initiate.
>    $fwcmd add allow tcp from any to any out xmit tun0 setup

here

>    # Once connections are made, allow them to stay open.
>    $fwcmd add allow tcp from any to any via tun0 established

here

>    # Everyone on the internet is allowed to connect to the following
>    # services on the machine.  This example specifically allows connections
>    # to ssh and apache.
>    $fwcmd add allow tcp from any to any 80 setup
>    $fwcmd add allow tcp from any to any 22 setup
>
>    # This sends a RESET to all ident packets.
>    $fwcmd add reset log tcp from any to any 113 in recv tun0

here

>    # Allow outgoing DNS queries ONLY to the specified servers.
>    $fwcmd add allow udp from any to xxx.xxx.xxx.xxx 53 out xmit tun0
>    $fwcmd add allow udp from any to yyy.yyy.yyy.yyy 53 out xmit tun0

here

>    # Allow them back in with the answers...  :)
>    $fwcmd add allow udp from xxx.xxx.xxx.xxx 53 to any in recv tun0

here

>    # Allow NTP
>    $fwcmd add allow udp from any to aaa.aaa.aaa.aaa 123 out xmit tun0
>    $fwcmd add allow udp from any to bbb.bbb.bbb.bbb 123 out xmit tun0
>    $fwcmd add allow udp from aaa.aaa.aaa.aaa to any in recv tun0
>    $fwcmd add allow udp from bbb.bbb.bbb.bbb to any in recv tun0

here

>    # Allow ICMP (for ping and traceroute to work).  You may wish to
>    # disallow this, but I feel it suits my needs to keep them in.
>    $fwcmd add 65435 allow icmp from any to any
>
>    # Deny all the rest.
>    $fwcmd add 65435 deny log ip from any to any
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>

---
doug reynolds | the maverick | mav@wastegate.net

PGP Public Key Fingerprint: 6E7B 9993 B503 6D45  E33A 2019 26E5 C1DB



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message