From owner-freebsd-questions Tue Apr 10 6:38:45 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id 3E78037B422 for ; Tue, 10 Apr 2001 06:38:41 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 31558 invoked by uid 100); 10 Apr 2001 13:38:40 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15059.3296.598302.666139@guru.mired.org> Date: Tue, 10 Apr 2001 08:38:40 -0500 To: "Todd Punderson" Cc: questions@freebsd.org Subject: RE: How to specify external network for firewall/NAT when IP is dynamically assigned In-Reply-To: <121975463@toto.iv> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Todd Punderson types: > Ok, dumb question. If I have 2 NICs, does "me" know to use the dynamic > address? I have my private range, and my DHCP'ed IP from the cable co. It doesn't. That's why I said it wasn't appropriate in this case. Use the not solution I gave you below. -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Mike Meyer > Sent: Monday, April 09, 2001 10:26 PM > To: Lowell Gilbert; michael@tenzo.com > Cc: questions@FreeBSD.ORG > Subject: Re: How to specify external network for firewall/NAT when IP is > dynamically assigned > > > Lowell Gilbert types: > > michael@tenzo.com (Michael O'Henly) writes: > > > I'm attempting to set up a simple firewall for my home network. I have > a > > > FreeBSD box with two NICs, one connected to the internet via cable modem > and > > > the other to an internal network on which there are two Macs. My > external IP > > > is assigned by DHCP. I'm not running any services that I want accessible > to > > > external users, or any from which I'd want to block internal users. > > > > > > I've read a lot of docs over the last few days on how to do this and I > think > > > I have the basics straight -- but for this question: > > > > > > In /etc/rc.firewall (simple section), I'm asked to identify my networks. > > > Since my IP is dynamically assigned, how do I specify my outside network > > > interface? Here's the format (replacing 1.2.3.444/24 with actual > values)... > > Assuming that you only *have* one external IP address (and, thus, are > > doing NAT), there isn't really much in there that needs to specify your > > IP address anyway. Most of the references to the IP address are only > > there to specify that incoming connections are okay to the firewall > > machine, but not to other machines on the inside; this check is useless > > if the internal addresses aren't visible on the outside anyway. > > Exactly. If you check rc.firewall, there are two references to > "onet". The one that defines it, and one that disables packets > claiming to be from the outside world coming in on your internal > interface. > > > Somewhat recently, FreeBSD has added a "me" option to ipfw's syntax for > > specifying addresses, and you can use this to refer to your address > > without needing to rebuild those rules if that address changes. > > However, as I said earlier, this is of somewhat limited usefulness if > > you've only got one address anyway. > > "me" doesn't really help in this case. It matches the ip addresses for > the system, not the network address range that's being used here. > > Another recent addition is "not". If all traffic coming from inside > should be from ${inet}:${imask}, you can do the spoof block using not > and your internal network address like so: > > ${fwcmd} add deny all from not ${inet}:${imask} to any in via ${iif} > > This is a bit broader block than the one in rc.firewall, and it may > not be appropriate in all cases. If you're managing a network large > enough for it not to be appropriate - well, you probbly wouldn't be > asking the questions you're asking. > > -- > Mike Meyer http://www.mired.org/home/mwm/ > Independent WWW/Perforce/FreeBSD/Unix consultant, email for more > information. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- Mike Meyer http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message