Date: Thu, 4 Apr 2002 09:37:43 +0200 (SAST) From: Willie Viljoen <will@laserfence.net> To: kjhd kjsdfhk <juostaus@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: linksys 8 port router and ipfw Message-ID: <20020404093230.C2932-100000@phoenix.vh.laserfence.net> In-Reply-To: <20020403233235.53970.qmail@web20510.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
To be quite honest, I would remove the router and connect the FreeBSD box directly to the LAN. Then I would simply make the FreeBSD box act as a router between the LAN and the cable interface... as for firewall rules, here is something you might consider: (this assumes 10.0.0.0/24 is your LAN) add divert natd all from 10.0.0.0/255.255.255.0 to ! 10.0.0.0/255.255.255.0 via xl1 add check-state add allow tcp from any to any <ports-open-to-outside> setup keep-state in add allow udp from any to any <ports-open-to-outside> keep-state in add allow all from 10.0.0.0/255.255.255.0 to any The syntax there might be slightly off... I've been playing around with linux iptables recently, which has weird syntax and somehow sticks in my memory... but you get the idea :) Will On Wed, 3 Apr 2002, kjhd kjsdfhk wrote: > > > thanks in advance. i have 8 windows clients behind a linksys router (befsr81 with > updated firmware) on a hub that links to a freebsd box (4.5 release) running natd and > connected to the net via cable; no dhcp anywhere. i can make it work, BUT, i am unsure of > how well i have done it and how well it is protected. i have omitted the more mundane lo0 > and spoofing entries for brevity. xl0 is internal interface. > > ipfw rules > > add divert natd all from any to any via xl1 > add check-state > add allow tcp from "the-router" to any 22 in setup keep-state > add deny tcp from any to any 22 > add allow all from "the-router" to any keep-state > add allow all from any to any out > default to deny > > #1 how can i change this so i doesn't suck and so the i can browse and ftp from > bsd box? > > #2 see below, not as important as #1 but i didnt want to cross-post to questions. > > > ***side note*** the strange thing about router. ssh works until i use the router. > i googled and found other people that said to change to mtu on the nic and router, > didnt work. the router only breaks ssh, (it is in /etc/hosts) you can still browse > and ftp. remove the router and all works, without any other changes. i cheated and > changed my sshd_config to listen on all interfaces and it will work through the > router; not working on xl0 only xl1. i dont think this is, however, the best answer. > > again, i thank you all for any time and help. > > > > > --------------------------------- > Do You Yahoo!? > Yahoo! Tax Center - online filing with TurboTax -- Willie Viljoen Private IT Consultant 214 Paul Kruger Avenue Universitas Bloemfontein 9321 South Africa +27 51 522 15 60, a/h +27 51 522 44 36 +27 82 404 03 27 will@laserfence.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020404093230.C2932-100000>