Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Dec 2002 10:14:37 +0100
From:      Roman Neuhauser <neuhauser@bellavista.cz>
To:        Danilo Castro <castro@ps5.com.br>
Cc:        questions@freebsd.org
Subject:   Re: Gateway + Firewall
Message-ID:  <20021210091437.GD56031@freepuppy.bellavista.cz>
In-Reply-To: <5.1.1.6.0.20021209151810.00a65850@gordo>
References:  <5.1.1.6.0.20021209151810.00a65850@gordo>
next in thread | previous in thread | raw e-mail | index | archive | help 
# castro@ps5.com.br / 2002-12-09 15:22:20 -0200:
> Well  I have this problem with freebsd
> 
> I have this network.
> 
> Range: 10.10.10.192-207
> Network: 10.10.10.192/28
> Netmask: 10.10.10.254
> Router: 10.10.10.193
> 
> I want to setupa  firewall connecting it directly to the router  using 2 
> ethernet interfaces seting up 2 valid address to this interfaces.
> Isnt working seting different netmasks ( obvious ) and Freebsd dont allow 
> me to add same netmask to 2 different ether interfaces.
> 
> How should i procced?

    you have AFAIK two options: a bridge (an invisible firewall), or
    NAT.
    
    I know nothing about bridging, but there's an article about it in
    /usr/share/doc/, so that might help.

    NAT (with ipfilter/ipnat):

    roman@lilith ~ 271:0 > grep gate /etc/rc.conf 
    gateway_enable="YES"

    roman@lilith ~ 272:0 > grep route /etc/rc.conf
    defaultrouter="62.168.44.33" <- put your router's IP here

    roman@lilith ~ 270:0 > grep ^ip /etc/rc.conf 
    ipfilter_enable="YES"
    ipfilter_rules="/etc/ipf.rules"
    ipnat_enable="YES"
    ipnat_rules="/etc/ipnat.rules"
    ipmon_enable="YES"

    now, I've always compiled IPFilter into the kernel, but looking at
    /etc/rc.network it appears that it should work using (and loading
    for you) kernel modules; IOW, without any compiling.

    as for /etc/ipf.rules and /etc/ipnat.rules: the simplest versions
    are (supposing you have rl0 and de0 interfaces, de0 being the
    outside one):

    /etc/ipf.rules:
    pass in  quick on lo0 all
    pass out quick on lo0 all
    pass in  quick on rl0 all
    pass out quick on rl0 all
    pass in  quick on de0 all
    pass out quick on de0 all

    that of course doesn't buy you anything beyond the ipfilter
    overhead. :)

    /etc/ipnat.rules:
    map de0 10.0.0.0/24 -> 10.10.10.193/32

-- 
If you cc me or remove the list(s) completely I'll most likely ignore
your message.    see http://www.eyrie.org./~eagle/faqs/questions.html

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021210091437.GD56031>