Date: Tue, 30 Mar 2004 09:15:48 +0100 From: Wayne Pascoe <freebsd-feb@penguinpowered.org> To: Odhiambo Washington <wash@wananchi.com>, FBSD-Q <freebsd-questions@freebsd.org> Subject: Re: Using IPFW/NAT with multiport PCI cards Message-ID: <20040330081548.GB26996@marvin.penguinpowered.org> In-Reply-To: <20040330080616.GD62890@ns2.wananchi.com> References: <20040330080616.GD62890@ns2.wananchi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 30, 2004 at 11:06:16AM +0300, Odhiambo Washington wrote: > Now my only problem is that I have played a little with ipfw in a > situation where I have just two interfaces, 1 external and 1 internal. > My current requirement however involves one external interface and > four (or more) internal interfaces (which should all be SEPARATE > networks, invisible from each other). > > Is this doable? (I hope someone has done this before). I would say I am > a total newbie on this one. Not only is it doable, it's fairly trivial if you've done a 1 in, 1 out ipfw firewall before. You just take that idea and grow it a little. > 2. Guides/Pointers on HOWTO configure this WRT to ipfw configuration. > Any minute gotchas/clues will be highly appreciated. URL links > pointing to people's experiences also welcome. Just set the firewall to deny by default and add your rules really... Here's an example that would allow FTP to one network and HTTP to another... ${fwcmd} add allow tcp from any to 192.168.1.0/24 80 tcpflags syn keep-state in via xl0 ${fwcmd} add allow tcp from any to 192.168.2.0/24 21 tcpflags syn keep-state in via xl0 You can also have rules between your networks as well... This one allows all machines on one of the protected networks to ssh to all machines in the other network. ${fwcmd} add allow tcp from 192.168.1.0/24 to 192.168.2.0/24 22 tcpflags syn keep-state in via xl1 Note the following things about this rule... 1. I've specified a source range to allow. 2. I've used a different interface. This guarantees that this traffic isn't coming in via the main external interface, but that it is coming in on one of the protected interfaces. Of course, everywhere I've used an entire range here, you could use a single IP range. Combining IP addresses with via interface statements lets you be pretty flexible :) Hope this helps some ? -- Wayne Pascoe BSD is for people who love UNIX; Linux is for people who hate Windows
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040330081548.GB26996>