Date: Tue, 16 Sep 2003 11:01:28 -0400 From: "Bob Hall" <rjhjr@cox.net> To: freebsd-questions@freebsd.org Subject: Re: firewall Message-ID: <20030916150127.GA7488@kongemord.krig.net> In-Reply-To: <20030916181713.4fb10264.y2kbug@ms25.hinet.net> References: <20030914172715.20a91c69.y2kbug@ms25.hinet.net> <20030915035239.GB89689@kongemord.krig.net> <20030915212551.13a47734.y2kbug@ms25.hinet.net> <20030915225606.GB653@kongemord.krig.net> <20030916181713.4fb10264.y2kbug@ms25.hinet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 16, 2003 at 06:17:13PM +0800, Robert Storey wrote: > On Mon, 15 Sep 2003 18:56:07 -0400 > "Bob Hall" <rjhjr@cox.net> wrote: > > > Another poster pointed out, and I seconded, that you need to set up > > NAT. There was no divert rule in your previous rule list, and you > > haven't mentioned setting up NAT, so I assume you still haven't done > > it. Without NAT, your gateway computer will be able to use PPP without > > your previous firewall, but none of your other computers will be able > > to connect. > > Dear Bob, > > Thanks. Acting on Scott's suggestion, I put this in /etc/rc.conf: > > natd_enable="YES" > natd_interface="ppp0" > > However, I'm still left with the same problem - with the firewall > enabled, ppp is blocked. Maybe I should clarify - it's the gateway > machine that cannot access ppp. I'm not worried about the other machines > on the network gaining access to ppp. Anyway, the internal network is OK > even with the firewall enabled, but the firewall is definitely blocking > my ppp connection. > > If I were smarter, I could probably tweak the network settings in > /etc/rc.firewall. But all I'm trying to do is use the "simple" > configuration (which so far is not proving to be simple). > > I'm pretty much out of ideas on this. OK. I think I've figured out what you don't know. Your firewall is configured to work with 192.168.0.xxx addresses. These are special addresses that should only be used inside your LAN. Anyone outside your LAN, including your ISP, should never see them. NAT (Network Address Translation) is used to convert your internal IP address to the address assigned by your ISP when you dial up. That is the IP address associated with your ppp0 device, which you see when you type "ifconfig -a". Without NAT, your firewall is allowing your 192.168.0.xxx addresses to access the internet, but they don't have an external connection. Your ppp0 device, which does have an external connection, is being blocked because it doesn't have a 192.168.0.xxx address. Everyone who responded to you has been assuming that your box with the dial up connection was a gateway; i.e. the gateway used by the other computers to access the Internet. If this is the case, then you need to set up NAT by one of two methods: 1) recompile the kernel with the following two options: options IPFIREWALL #firewall options IPDIVERT #divert sockets Then you need to add a "divert" rule to your firewall that translates internal addresses to your external address. 2) If you are using user PPP, you do the same thing by using PPP's built in NAT function. If your box with the dial up connection is not a gateway (i.e. it is the only computer that will access the Internet), then use the CLIENT rule set, but use the external IP address, not the 192.168.0.xxx address. Bob Hall
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030916150127.GA7488>