From owner-freebsd-questions Mon Oct 8 19: 0:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from blacklamb.mykitchentable.net (ekgr-dsl2-165.citlink.net [207.173.226.165]) by hub.freebsd.org (Postfix) with ESMTP id 7335F37B403 for ; Mon, 8 Oct 2001 19:00:08 -0700 (PDT) Received: from bigdaddy (unknown [192.168.10.3]) by blacklamb.mykitchentable.net (Postfix) with SMTP id B6CB7EE623 for ; Mon, 8 Oct 2001 19:00:07 -0700 (PDT) Message-ID: <002001c15066$19bd7ee0$030aa8c0@bigdaddy> From: "Drew Tomlinson" To: Subject: Firewall Concepts Date: Mon, 8 Oct 2001 18:59:58 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have an ADSL connection for my home LAN. I'm using a 3Com OfficeConnect 812 router that I purchased from the local telco. The router has 4 LAN ports and 1 WAN port. Originally it was configured as a router running NAT and has worked fine but provides little to no logging of packets sent to it. Thus, I decided to try and configure the 3Com 812 to send everything to a FBSD 4.4 box with 2 nics and run the firewall on FBSD. The FBSD box is configured as a wide open firewall for testing as you can see by the first two lines. Here's the output from ipfw show: 00050 1029 75770 divert 8668 ip from any to any via ed1 00060 1637 159293 allow ip from any to any 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 allow ip from any to any via ed0 00501 0 0 check-state 00502 0 0 deny tcp from any to any in established 00503 0 0 allow tcp from any to any keep-state out setup 65500 0 0 deny ip from any to any 65535 0 0 allow ip from any to any Also, I'm running natd, and have gateway enabled in my rc.conf. Here are the relevant lines: # I'm not sure what this should be set to defaultrouter="192.168.10.1" ifconfig_ed0="inet 192.168.1.2 netmask 255.255.255.0" ifconfig_ed1="inet 192.168.10.2 netmask 255.255.255.0" gateway_enable="YES" natd_enable="YES" natd_interface="ed1" natd_flags="-log" firewall_enable="YES" firewall_type="/etc/ipfw.rules" firewall_logging="YES" log_in_vain="YES" This is my network layout: ISP | | IP is DHCP | 3Com 812 | |192.168.1.1 | ----------------- IPs 192.168.1.x | | | | Box 1 2 3 4 This is what I am trying to do: ISP | | IP is DHCP | 3Com 812 |192.168.10.1 | |192.168.10.2 FBSD 4.4 Box | |192.168.1.2 | ----------------- IPs 192.168.1.x | | | | Gateway 192.168.1.2 Box 1 2 3 4 So my first thought was to configure the 812 as a bridge because as I understand it, a bridge just passes packets from one side to the other. But this doesn't seem to work at all, probably because the public interface on the FBSD router doesn't have a "real" address. I tried setting the public interface for DHCP but it never received a lease. Next I configured my 812 back to a router but could not get out to the Internet unless I enabled NAT on the 812. When I did that, I had Internet access from all of my boxes but was back to my 812 doing the routing and NAT so I didn't gain anything. So I guess what I'm asking is which direction to pursue. All I really want is my 812 router to take *everything* it gets and pass it to 192.168.10.2 so that the FBSD firewall can take care of it. Am I barking up the wrong tree? Any suggestions? Another approach that might work is to configure the 812 router for NAT and then set the default workstation address to the FBSD box. If this is a reasonable thing to try, would I remove natd and replace it with routed? Any suggestions or advice will be greatly appreciated. I'd really like to learn this stuff and *understand* what it is that I'm doing. Thanks, Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message