From owner-freebsd-questions  Wed Apr 14 13:52:54 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32])
	by hub.freebsd.org (Postfix) with ESMTP id 11CB01570C
	for <freebsd-questions@FreeBSD.ORG>; Wed, 14 Apr 1999 13:52:48 -0700 (PDT)
	(envelope-from dwhite@resnet.uoregon.edu)
Received: from localhost (dwhite@localhost)
          by resnet.uoregon.edu (8.8.8/8.8.8) with ESMTP id NAA06974;
          Wed, 14 Apr 1999 13:50:24 -0700 (PDT)
          (envelope-from dwhite@resnet.uoregon.edu)
Date: Wed, 14 Apr 1999 13:50:24 -0700 (PDT)
From: Doug White <dwhite@resnet.uoregon.edu>
To: Thomas Uhrfelt <thomas.uhrfelt@plymovent.se>
Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG>
Subject: Re: Gating - IPFilter etc.
In-Reply-To: <01BE85C6.6ECE8680.thomas.uhrfelt@plymovent.se>
Message-ID: <Pine.BSF.4.03.9904141348420.15989-100000@resnet.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 13 Apr 1999, Thomas Uhrfelt wrote:

> The reason for changing the routers IP is that I don't want to change all 
> the clients as we don't use DHCP.

... but you have to change all the machines anyway, so why not?

> I was planning to use IPFilter+IFNAT on the FreeBSD box to accomplish this 
> task. So now I need to know if there is any good beginners documentation on 
> IPFilter + IFNAT and/or if its possible at all to accomplish this using 
> these tools. I also want to put in rather restrictive rules on what is 
> allowed to be passed through the BSD box, so I need a pretty elaborate doc 
> on the IPFilters capabilities ( easy to understand wouldnt be bad either ).

The knobs you need are in rc.conf; you can tune the firewall config in
/etc/rc.firewall.  I suggest leaving the firewall 'open' for now -- it is
more secure than it sounds, since nothing can traverse natd into the
network without an existing connection.

> Anyone care to enlighten me on this subject?

natd, ipfw, rc.conf manpages.

> PS: The later changes will pretty much only involve a static IP on the 
> other side of the router and a hardware VPN sollution ( if anyone can 
> direct me to a VPN sollution for FreeBSD that is good, that would also be 
> appriciated ) DS.

What do you want to VPN?  If you have NT boxen, AltaVista Tunnel is a cool
solution that is NATD-friendly (where MS PPTP is not).

Doug White                               
Internet:  dwhite@resnet.uoregon.edu    | FreeBSD: The Power to Serve
http://gladstone.uoregon.edu/~dwhite    | www.freebsd.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message