From owner-freebsd-questions@FreeBSD.ORG Sat Dec 11 17:21:21 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC9DD16A4CE for ; Sat, 11 Dec 2004 17:21:21 +0000 (GMT) Received: from rosebud.otenet.gr (rosebud.otenet.gr [195.170.0.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97A4243D48 for ; Sat, 11 Dec 2004 17:21:19 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-b186.otenet.gr [212.205.244.194]) iBBHKua0008124; Sat, 11 Dec 2004 19:20:57 +0200 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.13.1/8.13.1) with ESMTP id iBBHKtKr003940; Sat, 11 Dec 2004 19:20:55 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.13.1/8.13.1/Submit) id iBBHKtOB003939; Sat, 11 Dec 2004 19:20:55 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Sat, 11 Dec 2004 19:20:55 +0200 From: Giorgos Keramidas To: David Banning Message-ID: <20041211172055.GA3902@gothmog.gr> References: <20041210013055.GA49697@skytracker.ca> <41B92C8C.8050407@yahoo.com> <20041210202014.GA12902@skytracker.ca> <41BA651B.1020905@daleco.biz> <20041211054600.GB16388@skytracker.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041211054600.GB16388@skytracker.ca> cc: questions@freebsd.org Subject: Re: gateway_enable question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 17:21:21 -0000 On 2004-12-11 00:46, David Banning wrote: > > Lots of guys have suggested the firewall. On ipfw, that'd be > > something like (put your rule number for N and sub your network > > in for 192.168.0): > > > > add <> deny ip from any 192.168.0/24 to any out via tun0 > > > > (I'm assuming your PPP uses the first tunnel device?) > > Not sure what the -first- tunnel device is; tun0. As seen below, you *are* using the first tun device :-) > ------------------------ > root# ifconfig > dc0: flags=8843 mtu 1500 > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > inet6 fe80::220:78ff:fe0e:13d6%dc0 prefixlen 64 scopeid 0x1 > ether 00:20:78:0e:13:d6 > media: Ethernet autoselect (10baseT/UTP) > status: active > rl0: flags=8843 mtu 1500 > inet 209.161.205.12 netmask 0xffffff00 broadcast 209.161.205.255 > inet6 fe80::248:54ff:fe8c:13e5%rl0 prefixlen 64 scopeid 0x2 > ether 00:48:54:8c:13:e5 > media: Ethernet autoselect (10baseT/UTP) > status: active > lp0: flags=8810 mtu 1500 > ppp0: flags=8010 mtu 1500 > sl0: flags=c010 mtu 552 > faith0: flags=8002 mtu 1500 > lo0: flags=8049 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 > inet 127.0.0.1 netmask 0xff000000 > tun0: flags=8051 mtu 1492 > inet 209.161.205.12 --> 207.136.64.4 netmask 0xffffffff > Opened by PID 10689 > ---------------------------- > > My ppp.conf sets rl0 It seems like you have a dc0 interface attached to the internal 192.168.1/24 network and rl0 attached (through tun0) to the world. > > In another portion of this thread you stated: > > > > >On the firewall it is difficult to block the win boxes because I -want- > > >each machine to be able to contact each other, but I don't want the > > >windows boxes to have internet connection. Then make sure you don't forward IP packets for anyone. The BSD box will then allow any machine on the internal network (visible through dc0) to use the services of the BSD server, but not anything beyond it. This is easy to do: # sysctl net.inet.ip.forwarding=0 After this you should be set ;-) If you want to be extra paranoid, you can block at the BSD box all the packets that come from the internal dc0 network and are *not* destined for 192.168.1/24 addresses: ipfw add allow ip from 192.168.1.0/24 to 192.168.1.0/24 via dc0 ipfw add block ip from 192.168.1.0/24 to any ipfw add block ip from any to 192.168.1.0/24 any - Giorgos