From owner-freebsd-questions Tue Dec 10 5:45:51 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0536E37B404 for ; Tue, 10 Dec 2002 05:45:41 -0800 (PST) Received: from mail.bellavista.cz (mail.bellavista.cz [62.168.44.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F01D43EC2 for ; Tue, 10 Dec 2002 05:45:40 -0800 (PST) (envelope-from neuhauser@bellavista.cz) Received: from freepuppy.bellavista.cz (freepuppy.bellavista.cz [10.0.0.10]) by lilith.bellavista.cz (Postfix) with ESMTP id 240B55C; Tue, 10 Dec 2002 11:10:52 +0100 (CET) Received: by freepuppy.bellavista.cz (Postfix, from userid 1001) id A08452FDAB2; Tue, 10 Dec 2002 10:14:37 +0100 (CET) Date: Tue, 10 Dec 2002 10:14:37 +0100 From: Roman Neuhauser To: Danilo Castro Cc: questions@freebsd.org Subject: Re: Gateway + Firewall Message-ID: <20021210091437.GD56031@freepuppy.bellavista.cz> Mail-Followup-To: Danilo Castro , questions@freebsd.org References: <5.1.1.6.0.20021209151810.00a65850@gordo> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.1.6.0.20021209151810.00a65850@gordo> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG # castro@ps5.com.br / 2002-12-09 15:22:20 -0200: > Well I have this problem with freebsd > > I have this network. > > Range: 10.10.10.192-207 > Network: 10.10.10.192/28 > Netmask: 10.10.10.254 > Router: 10.10.10.193 > > I want to setupa firewall connecting it directly to the router using 2 > ethernet interfaces seting up 2 valid address to this interfaces. > Isnt working seting different netmasks ( obvious ) and Freebsd dont allow > me to add same netmask to 2 different ether interfaces. > > How should i procced? you have AFAIK two options: a bridge (an invisible firewall), or NAT. I know nothing about bridging, but there's an article about it in /usr/share/doc/, so that might help. NAT (with ipfilter/ipnat): roman@lilith ~ 271:0 > grep gate /etc/rc.conf gateway_enable="YES" roman@lilith ~ 272:0 > grep route /etc/rc.conf defaultrouter="62.168.44.33" <- put your router's IP here roman@lilith ~ 270:0 > grep ^ip /etc/rc.conf ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" ipmon_enable="YES" now, I've always compiled IPFilter into the kernel, but looking at /etc/rc.network it appears that it should work using (and loading for you) kernel modules; IOW, without any compiling. as for /etc/ipf.rules and /etc/ipnat.rules: the simplest versions are (supposing you have rl0 and de0 interfaces, de0 being the outside one): /etc/ipf.rules: pass in quick on lo0 all pass out quick on lo0 all pass in quick on rl0 all pass out quick on rl0 all pass in quick on de0 all pass out quick on de0 all that of course doesn't buy you anything beyond the ipfilter overhead. :) /etc/ipnat.rules: map de0 10.0.0.0/24 -> 10.10.10.193/32 -- If you cc me or remove the list(s) completely I'll most likely ignore your message. see http://www.eyrie.org./~eagle/faqs/questions.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message