Date: Mon, 9 Apr 2001 21:26:23 -0500 From: Mike Meyer <mwm@mired.org> To: Lowell Gilbert <lowell@world.std.com>, michael@tenzo.com Cc: questions@freebsd.org Subject: Re: How to specify external network for firewall/NAT when IP is dynamically assigned Message-ID: <15058.28495.979447.568693@guru.mired.org> In-Reply-To: <27023896@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Lowell Gilbert <lowell@world.std.com> types: > michael@tenzo.com (Michael O'Henly) writes: > > I'm attempting to set up a simple firewall for my home network. I have a > > FreeBSD box with two NICs, one connected to the internet via cable modem and > > the other to an internal network on which there are two Macs. My external IP > > is assigned by DHCP. I'm not running any services that I want accessible to > > external users, or any from which I'd want to block internal users. > > > > I've read a lot of docs over the last few days on how to do this and I think > > I have the basics straight -- but for this question: > > > > In /etc/rc.firewall (simple section), I'm asked to identify my networks. > > Since my IP is dynamically assigned, how do I specify my outside network > > interface? Here's the format (replacing 1.2.3.444/24 with actual values)... > Assuming that you only *have* one external IP address (and, thus, are > doing NAT), there isn't really much in there that needs to specify your > IP address anyway. Most of the references to the IP address are only > there to specify that incoming connections are okay to the firewall > machine, but not to other machines on the inside; this check is useless > if the internal addresses aren't visible on the outside anyway. Exactly. If you check rc.firewall, there are two references to "onet". The one that defines it, and one that disables packets claiming to be from the outside world coming in on your internal interface. > Somewhat recently, FreeBSD has added a "me" option to ipfw's syntax for > specifying addresses, and you can use this to refer to your address > without needing to rebuild those rules if that address changes. > However, as I said earlier, this is of somewhat limited usefulness if > you've only got one address anyway. "me" doesn't really help in this case. It matches the ip addresses for the system, not the network address range that's being used here. Another recent addition is "not". If all traffic coming from inside should be from ${inet}:${imask}, you can do the spoof block using not and your internal network address like so: ${fwcmd} add deny all from not ${inet}:${imask} to any in via ${iif} This is a bit broader block than the one in rc.firewall, and it may not be appropriate in all cases. If you're managing a network large enough for it not to be appropriate - well, you probbly wouldn't be asking the questions you're asking. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15058.28495.979447.568693>