From owner-freebsd-questions Thu Feb 9 10:09:31 1995 Return-Path: questions-owner Received: (from root@localhost) by freefall.cdrom.com (8.6.9/8.6.6) id KAA14649 for questions-outgoing; Thu, 9 Feb 1995 10:09:31 -0800 Received: from vinny.cecer.army.mil (vinny.cecer.army.mil [129.229.40.2]) by freefall.cdrom.com (8.6.9/8.6.6) with ESMTP id KAA14641 for ; Thu, 9 Feb 1995 10:09:26 -0800 Received: (from richards@localhost) by vinny.cecer.army.mil (8.6.9/8.6.9) id MAA05985; Thu, 9 Feb 1995 12:08:57 -0600 Date: Thu, 9 Feb 1995 12:08:57 -0600 From: Matt Richards Message-Id: <199502091808.MAA05985@vinny.cecer.army.mil> To: ugen@netvision.net Subject: RE: Firewall help Cc: questions@FreeBSD.org Content-Type: X-sun-attachment Sender: questions-owner@FreeBSD.org Precedence: bulk ---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Content-Lines: 79 ----- Begin Included Message ----- >From ugen@netvision.net.il Wed Feb 8 12:00:03 1995 Date: Wed, 8 Feb 95 10:32:46 IST From: "Ugen J.S.Antsilevich" Subject: RE: Firewall help To: Matt Richards X-Mailer: Chameleon 4.00-Arm-25, TCP/IP for Windows, NetManage Inc. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Length: 2069 >The gateway option is compiled in the kernel. Routed is running (I tried the >-q (default) and then the -s option). I couldn't find any documentation on >setting up FreeBSD as a firewall or router. Any information on how to set >up a machine as a firewall would be greatly appreciated. >Hmm..very strange behavior...I will check things and see what happanes.For now >could you say if: > You able to traceroute something via both network interfaces??? How do I choose which interface to use when I traceroute thru to something. Traceroute doesn't have a -I for interface that I can find. > You able to ping from outside and telnet both ineterfaces? I can ping each interface and telnet to each interface when they are both on the same net, but when I separate ed0 and ed1 and make ed0 on the net and ed1 a test network with a single machine attached to it, I can't telnet to ed1 or any other machine past the FreeBSD machine but I can telnet from any machine on the net to ed0 but not to ed1. >Did you tried to disable routed and add manually static routes as the beginning How do I do I add manually static routes? >And describe more precisely your configuration so i'll be able to help.I am wor>king on FAQ about IP gateways,firewalling and stuff but it goes slow along with>other jobs...Besides my english is bad Do I need a gateways file in /etc? I tried to make one and it did nothing that I could tell. I tried several configurations finally ending with the folowing not doing anything visible: host 129.229.40.152 gateway 129.229.40.151 metric 0 active host 129.229.40.151 gateway 129.229.40.152 metric 0 active I feel like I'm shooting in the dark because I can't quite figure out what is required to get the to cards working together. I have two Eagle NE2000+ (the real thing, not a clone NIC) cards installed: ed0 at 0x280-0x29f irq 5 on isa ed1 at 0x300-0x31f irq 10 on isa Attached is the IPFIREWALL config file I used to compile the kernel. I placed a hostname.ed0 and hostname.ed1 in /etc to assign different IP numbers to each interface at bootup. hostname.ed0 reads: 129.229.40.151 netmask 0xffffff00 hostname.ed1 reads: 129.229.40.152 netmask 0xffffff00 Both ed0 and ed1 ifconfig at bootup. These IP numbers are unique and are not used by any other machine. I added the IP numbers and hostnames to /etc/hosts I changed the following in /etc/netstart: routedflages=-q to routedflages=-s and #gated=YES to gated=YES Do I need to change /etc/networks at all to reflect what I've done? Thanks for the help, Matt ---------- X-Sun-Data-Type: default X-Sun-Data-Description: default X-Sun-Data-Name: IPFIREWALL X-Sun-Content-Lines: 78 # # IPFIREWALL -- Sample Generic kernel suitable for building an IP firewall. # # IPFIREWALL,v 1.2 1994/11/13 10:17:07 gibbs Exp # machine "i386" cpu "I486_CPU" ident IPFIREWALL maxusers 10 options INET #InterNETworking options FFS #Berkeley Fast File System options NFS #Network File system options PROCFS #Process filesystem options "COMPAT_43" #Compatible with BSD 4.3 options UCONSOLE #X Console support options "SCSI_DELAY=15" #Be pessimistic about Joe SCSI device options "NCONS=4" #4 virtual consoles options BOUNCE_BUFFERS #include support for DMA bounce buffers options USERCONFIG #Allow user configuration with -c options GATEWAY #Pass packets options IPFIREWALL #firewall code options IPFIREWALL_VERBOSE #print information about dropped packets options IPBROADCASTECHO=1 #send reply to broadcast pings options IPMASKAGENT=1 #send reply to icmp mask requests config kernel root on wd0 swap on wd0 and wd1 and sd0 and sd1 dumps on wd0 controller isa0 controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 vector fdintr disk fd0 at fdc0 drive 0 disk fd1 at fdc0 drive 1 controller wdc0 at isa? port "IO_WD1" bio irq 14 vector wdintr disk wd0 at wdc0 drive 0 disk wd1 at wdc0 drive 1 controller pci0 controller ncr0 controller aha0 at isa? port "IO_AHA0" bio irq ? drq 5 vector ahaintr controller scbus0 device sd0 device sd1 device sd2 device sd3 device st0 device st1 device cd0 #Only need one of these, the code dynamically grows device wt0 at isa? port 0x300 bio irq 5 drq 1 vector wtintr device mcd0 at isa? port 0x300 bio irq 10 vector mcdintr device sc0 at isa? port "IO_KBD" tty irq 1 vector scintr device npx0 at isa? port "IO_NPX" irq 13 vector npxintr device sio0 at isa? port "IO_COM1" tty irq 4 vector siointr device sio1 at isa? port "IO_COM2" tty irq 3 vector siointr device lpt0 at isa? port? tty irq 7 vector lptintr device ed0 at isa? port 0x280 net irq 5 iomem 0xd8000 vector edintr device ed1 at isa? port 0x300 net irq 10 iomem 0xcc000 vector edintr pseudo-device loop pseudo-device ether pseudo-device log pseudo-device ppp 2 pseudo-device sl 2 pseudo-device pty 16 pseudo-device speaker pseudo-device gzip # Exec gzipped a.out's pseudo-device bpfilter 1