Date: Tue, 6 Feb 2001 20:52:55 -0500 From: Eric Thornton <ewthorn2@eos.ncsu.edu> To: Benjamin Ossei <ben@cahostnet.net>, questions@FreeBSD.ORG Subject: Re: HELLLLLLLLLLLP(firewall) Message-ID: <01020620525500.00910@reefbreak.surfbbx> In-Reply-To: <20010206232345.D7B6F36F9@sitemail.everyone.net> References: <20010206232345.D7B6F36F9@sitemail.everyone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I know little about firewall rules, but this is my setup
it was done by a friend of mine who knows a lot more about tcp/ip than i do.
this works with roadrunner--dynamic ip address
---KERNEL-----
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPDIVERT
---rc.conf-----
gateway_enable="YES"
firewall_enable="YES"
#i don't know what the next 3 do...
tcp_keepalive="YES"
tcp_extensions="YES"
icmp_drop_redirect="YES"
natd_program="/sbin/natd"
natd_enable="YES"
natd_interface="ed1"
natd_flags="-f /etc/natd.conf"
#this excludes the norm hostname, ifconfig, norm network setup
---rc.firewall----
HIPORT=1024-65535
LOPORT=1-1023
FTPPORT=49152-65535
ipfw="/sbin/ipfw -q"
$ipfw -f flush
sysctl -w net.inet.ip.fw.one_pass=0
# deny rfc1918 from outside interface
$ipfw add 10 deny log all from 10.0.0.0/8 to any in via ed1
$ipfw add 20 deny log logamount 10 all from 192.168.0.0/16 to any in via ed1
$ipfw add 30 deny log all from 172.16.0.0/12 to any in via ed1
# allow things out before nat rule
$ipfw add 50 pass all from any to any via lo0
# anything here is stuff you want to work even if natd is down
$ipfw add 80 pass tcp from any $LOPORT to any ssh in recv ed1 setup keep-state
$ipfw add 81 pass tcp from any $HIPORT to any telnet in recv ed1 setup/
keep-state
$ipfw add 84 pass tcp from any to any auth in recv ed1 setup keep-state
# nat rule--THIS IS IMPORTANT!!!
$ipfw add 100 divert natd all from any to any via ed1
# everything allowed
$ipfw add 200 pass all from any to any
---natd.conf----
dynamic yes
use_sockets yes
same_ports yes
unregistered_only yes
-hope this helps.
Eric
On Tuesday 06 February 2001 06:23 pm, Benjamin Ossei wrote:
> I've asked this questions several time and no one has helped yet. If no
> one wants to help I can understand it. But I'm trying one last chance.
> I've read several books including all of the man pages etc. Sill my NAT
> isn't working. I've used every configurations that I can find and tried
> several things. I still can not get to my machines behind the firewall. I
> don't know what else to do other than going back to something else. Anyway
> if anyone wants to give me a hand I can use it. natd diverts loads up but
> I can't get pass the FW.
>
> Thanks..
>
> _____________________________________________________________
> ========GET YOUR FREE E-MAIL============
> http://freemail.cahostnet.net
> Web Hosting http://www.cahostnet.com
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01020620525500.00910>