Date: Sat, 11 Dec 2004 19:20:55 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: David Banning <david+dated+1103175964.6c6a4d@skytracker.ca> Cc: questions@freebsd.org Subject: Re: gateway_enable question Message-ID: <20041211172055.GA3902@gothmog.gr> In-Reply-To: <20041211054600.GB16388@skytracker.ca> References: <20041210013055.GA49697@skytracker.ca> <41B92C8C.8050407@yahoo.com> <20041210202014.GA12902@skytracker.ca> <41BA651B.1020905@daleco.biz> <20041211054600.GB16388@skytracker.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2004-12-11 00:46, David Banning <david+dated+1103175964.6c6a4d@skytracker.ca> wrote: > > Lots of guys have suggested the firewall. On ipfw, that'd be > > something like (put your rule number for N and sub your network > > in for 192.168.0): > > > > add <<N>> deny ip from any 192.168.0/24 to any out via tun0 > > > > (I'm assuming your PPP uses the first tunnel device?) > > Not sure what the -first- tunnel device is; tun0. As seen below, you *are* using the first tun device :-) > ------------------------ > root# ifconfig > dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > inet6 fe80::220:78ff:fe0e:13d6%dc0 prefixlen 64 scopeid 0x1 > ether 00:20:78:0e:13:d6 > media: Ethernet autoselect (10baseT/UTP) > status: active > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 209.161.205.12 netmask 0xffffff00 broadcast 209.161.205.255 > inet6 fe80::248:54ff:fe8c:13e5%rl0 prefixlen 64 scopeid 0x2 > ether 00:48:54:8c:13:e5 > media: Ethernet autoselect (10baseT/UTP) > status: active > lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 > ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 > faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 > inet 127.0.0.1 netmask 0xff000000 > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492 > inet 209.161.205.12 --> 207.136.64.4 netmask 0xffffffff > Opened by PID 10689 > ---------------------------- > > My ppp.conf sets rl0 It seems like you have a dc0 interface attached to the internal 192.168.1/24 network and rl0 attached (through tun0) to the world. > > In another portion of this thread you stated: > > > > >On the firewall it is difficult to block the win boxes because I -want- > > >each machine to be able to contact each other, but I don't want the > > >windows boxes to have internet connection. Then make sure you don't forward IP packets for anyone. The BSD box will then allow any machine on the internal network (visible through dc0) to use the services of the BSD server, but not anything beyond it. This is easy to do: # sysctl net.inet.ip.forwarding=0 After this you should be set ;-) If you want to be extra paranoid, you can block at the BSD box all the packets that come from the internal dc0 network and are *not* destined for 192.168.1/24 addresses: ipfw add allow ip from 192.168.1.0/24 to 192.168.1.0/24 via dc0 ipfw add block ip from 192.168.1.0/24 to any ipfw add block ip from any to 192.168.1.0/24 any - Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041211172055.GA3902>