From owner-freebsd-hackers Wed Jan 8 11:21:12 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id LAA24141 for hackers-outgoing; Wed, 8 Jan 1997 11:21:12 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id LAA24133 for ; Wed, 8 Jan 1997 11:21:09 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.3/8.8.3) with UUCP id UAA13959; Wed, 8 Jan 1997 20:19:52 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id UAA26550; Wed, 8 Jan 1997 20:19:08 +0100 (MET) Message-Id: <3.0.32.19970108202141.009be270@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 08 Jan 1997 20:21:42 +0100 To: HawkeWerks Multimedia From: Eivind Eklund Subject: Re: FreeBSD as an ISDN Router Cc: hackers@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 10:48 AM 1/8/97 -0600, you wrote: >I've got a small network of 5 pc's. One of which is a 486/100 with 32 mb >ram and FreeBSD. I would like to put a Motorola Bitsurfer ISDN TA in it, >and use this box as a router to the internet for the other boxes. All the >other Machines are Windoze 95, and NT, and I would like to have them talk >to the Internet through the 486. Any suggestions? Is this possible? Defineatly the routing; I don't know about the ISDN card. Tell me if it work well for you; I'm switching to ISDN in a couple of weeks. >The routing will be over PPP, with Dynamic IP's. (I'll just use the >192.0.2.*) subnet for the internal routing) I'm presently doing just that (modem instead of ISDN, but this shouldn't make a difference), using PPP+pktAlias 1.6. This is available from http://www.srv.net/~cmott/alias.html >From this base, I've upgraded the base PPP version to 2.1.6 with security patches. (Patches similar to the official ones, but done by yours truly.) The upgrade was simple - all changes were to different files. In addition, I've got a new version of alias.c from Charles Mott, the author. It fix a problem with FTP from the machine running PPP+pktAlias to other machines on the PPP-side subnet. (Ie, it didn't affect the 192.0.0.x-net at all, but with a dynamic IP of eg 194.198.43.149 I couldn't FTP to 194.198.43.25) PPP+pktAlias handle reverse protocols for FTP only; there are no support for eg IRC. (IRC work, but you cannot use DCC to send files) Apart from PPP+pktAlias I have two things worh mentioning - Apache 1.1.1 running as a webproxy, and firewalling to disallow connections from the rest of the world to the server when connected via PPP. The Apache webproxy work fine for http, and badly for FTP. I've just turned proxy off for FTP, and let each machine do that themselves. My firewalling script has some kludges because I want to talk to my ISP, and I want to route from the 192.* to the world. I get a dynamic IP in the upper half of 194.198.43.x, and I trust the lower half (local to the ISP, good security). The script follows; it was was written two days ago, and might still be buggy. I had to change it just today to allow FTP from the 192.0.0.x-boxes... ## Clear the old setup ipfw flush ## Allow everything within the 192 local network (will also allow the ## proxied stuff) ipfw add allow ip from 192.0.0.0/24 to any ipfw add allow ip from any to 192.0.0.0/24 ## Allow to 194.198.43.0-127 (machines at Follonett; this range do NOT ## include the dynamic IP of this box) ipfw add allow ip from any to 194.198.43.0/25 ipfw add allow ip from 194.198.43.0/25 to any ## Set up for our dynamic IP address, in the upper half of ## 194.198.43.* (ie, 194.198.43.128-255) # Generic connections outbound allowed ipfw add allow tcp from any to 194.198.43.128/25 1024-65535 # Connections within the dynamic IPs disallowed ipfw add reject all from 194.198.43.128/25 to 194.198.43.128/25 # Generic connections outwards allowed ipfw add allow all from 194.198.43.128/25 to any # Allow DNS and NTP. ipfw add allow udp from any 53,123 to 194.198.43.128/25 53,123 # Reject all unspecified UDP ipfw add reject udp from any to 194.198.43.128/25 1-65535 # Reject all privileged ports ipfw add reject tcp from any to 194.198.43.128/25 1-1024 # Reject X11 control ports ipfw add reject tcp from any to 194.198.43.128/25 6000-6063 # Allow FTP connects (somewhat insecure, but very convenient) ipfw add allow tcp from any 20 to 194.198.43.128/25 1024-65535 ## Allow all ICMP (for ping) ipfw add allow icmp from any to any ## Allow traceroute ipfw add allow udp from any 33434-33534 to any 33434-33534 ## Done I run this from /etc/netstart - and your kernel must be compiled with options IPFIREWALL for this to work. You'll probably want options IPFIREWALL_VERBOSE too, to be able to log what trigger what rules. >The box is currently running 2.1.5-RELEASE. My box is running 2.1.6 (compiled over parts of 2.1.5 over an initial 2.1.0 :) Well, hope that helped. Feel free to ask if anything is unclear. BTW: If anybody feel like commenting on how I should change the firewall-script, please do. Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/