Date: Tue, 10 Apr 2001 08:38:40 -0500 From: Mike Meyer <mwm@mired.org> To: "Todd Punderson" <todd@doonga.net> Cc: questions@freebsd.org Subject: RE: How to specify external network for firewall/NAT when IP is dynamically assigned Message-ID: <15059.3296.598302.666139@guru.mired.org> In-Reply-To: <121975463@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Todd Punderson <todd@doonga.net> types: > Ok, dumb question. If I have 2 NICs, does "me" know to use the dynamic > address? I have my private range, and my DHCP'ed IP from the cable co. It doesn't. That's why I said it wasn't appropriate in this case. Use the not solution I gave you below. <mike > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Mike Meyer > Sent: Monday, April 09, 2001 10:26 PM > To: Lowell Gilbert; michael@tenzo.com > Cc: questions@FreeBSD.ORG > Subject: Re: How to specify external network for firewall/NAT when IP is > dynamically assigned > > > Lowell Gilbert <lowell@world.std.com> types: > > michael@tenzo.com (Michael O'Henly) writes: > > > I'm attempting to set up a simple firewall for my home network. I have > a > > > FreeBSD box with two NICs, one connected to the internet via cable modem > and > > > the other to an internal network on which there are two Macs. My > external IP > > > is assigned by DHCP. I'm not running any services that I want accessible > to > > > external users, or any from which I'd want to block internal users. > > > > > > I've read a lot of docs over the last few days on how to do this and I > think > > > I have the basics straight -- but for this question: > > > > > > In /etc/rc.firewall (simple section), I'm asked to identify my networks. > > > Since my IP is dynamically assigned, how do I specify my outside network > > > interface? Here's the format (replacing 1.2.3.444/24 with actual > values)... > > Assuming that you only *have* one external IP address (and, thus, are > > doing NAT), there isn't really much in there that needs to specify your > > IP address anyway. Most of the references to the IP address are only > > there to specify that incoming connections are okay to the firewall > > machine, but not to other machines on the inside; this check is useless > > if the internal addresses aren't visible on the outside anyway. > > Exactly. If you check rc.firewall, there are two references to > "onet". The one that defines it, and one that disables packets > claiming to be from the outside world coming in on your internal > interface. > > > Somewhat recently, FreeBSD has added a "me" option to ipfw's syntax for > > specifying addresses, and you can use this to refer to your address > > without needing to rebuild those rules if that address changes. > > However, as I said earlier, this is of somewhat limited usefulness if > > you've only got one address anyway. > > "me" doesn't really help in this case. It matches the ip addresses for > the system, not the network address range that's being used here. > > Another recent addition is "not". If all traffic coming from inside > should be from ${inet}:${imask}, you can do the spoof block using not > and your internal network address like so: > > ${fwcmd} add deny all from not ${inet}:${imask} to any in via ${iif} > > This is a bit broader block than the one in rc.firewall, and it may > not be appropriate in all cases. If you're managing a network large > enough for it not to be appropriate - well, you probbly wouldn't be > asking the questions you're asking. > > <mike > -- > Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ > Independent WWW/Perforce/FreeBSD/Unix consultant, email for more > information. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15059.3296.598302.666139>