Date: Tue, 10 Apr 2001 08:38:40 -0500 From: Mike Meyer <mwm@mired.org> To: "Todd Punderson" <todd@doonga.net> Cc: questions@freebsd.org Subject: RE: How to specify external network for firewall/NAT when IP is dynamically assigned Message-ID: <15059.3296.598302.666139@guru.mired.org> In-Reply-To: <121975463@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Todd Punderson <todd@doonga.net> types:
> Ok, dumb question. If I have 2 NICs, does "me" know to use the dynamic
> address? I have my private range, and my DHCP'ed IP from the cable co.
It doesn't. That's why I said it wasn't appropriate in this case.
Use the not solution I gave you below.
<mike
> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Mike Meyer
> Sent: Monday, April 09, 2001 10:26 PM
> To: Lowell Gilbert; michael@tenzo.com
> Cc: questions@FreeBSD.ORG
> Subject: Re: How to specify external network for firewall/NAT when IP is
> dynamically assigned
>
>
> Lowell Gilbert <lowell@world.std.com> types:
> > michael@tenzo.com (Michael O'Henly) writes:
> > > I'm attempting to set up a simple firewall for my home network. I have
> a
> > > FreeBSD box with two NICs, one connected to the internet via cable modem
> and
> > > the other to an internal network on which there are two Macs. My
> external IP
> > > is assigned by DHCP. I'm not running any services that I want accessible
> to
> > > external users, or any from which I'd want to block internal users.
> > >
> > > I've read a lot of docs over the last few days on how to do this and I
> think
> > > I have the basics straight -- but for this question:
> > >
> > > In /etc/rc.firewall (simple section), I'm asked to identify my networks.
> > > Since my IP is dynamically assigned, how do I specify my outside network
> > > interface? Here's the format (replacing 1.2.3.444/24 with actual
> values)...
> > Assuming that you only *have* one external IP address (and, thus, are
> > doing NAT), there isn't really much in there that needs to specify your
> > IP address anyway. Most of the references to the IP address are only
> > there to specify that incoming connections are okay to the firewall
> > machine, but not to other machines on the inside; this check is useless
> > if the internal addresses aren't visible on the outside anyway.
>
> Exactly. If you check rc.firewall, there are two references to
> "onet". The one that defines it, and one that disables packets
> claiming to be from the outside world coming in on your internal
> interface.
>
> > Somewhat recently, FreeBSD has added a "me" option to ipfw's syntax for
> > specifying addresses, and you can use this to refer to your address
> > without needing to rebuild those rules if that address changes.
> > However, as I said earlier, this is of somewhat limited usefulness if
> > you've only got one address anyway.
>
> "me" doesn't really help in this case. It matches the ip addresses for
> the system, not the network address range that's being used here.
>
> Another recent addition is "not". If all traffic coming from inside
> should be from ${inet}:${imask}, you can do the spoof block using not
> and your internal network address like so:
>
> ${fwcmd} add deny all from not ${inet}:${imask} to any in via ${iif}
>
> This is a bit broader block than the one in rc.firewall, and it may
> not be appropriate in all cases. If you're managing a network large
> enough for it not to be appropriate - well, you probbly wouldn't be
> asking the questions you're asking.
>
> <mike
> --
> Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/
> Independent WWW/Perforce/FreeBSD/Unix consultant, email for more
> information.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
--
Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15059.3296.598302.666139>