From owner-freebsd-questions Wed Jul 18 5:22:56 2001 Delivered-To: freebsd-questions@freebsd.org Received: from dv-db.com (dv-db.com [207.159.141.95]) by hub.freebsd.org (Postfix) with ESMTP id BCCC037B401 for ; Wed, 18 Jul 2001 05:22:44 -0700 (PDT) (envelope-from mark@dvdnews.co.uk) Received: from mark2 (host217-35-43-110.btopenworld.com [217.35.43.110]) by dv-db.com (8.9.3/8.9.3) with SMTP id NAA19506; Wed, 18 Jul 2001 13:22:27 +0100 (GMT/BST) Message-ID: <002d01c10f84$4aa4d260$0200a8c0@mark2> From: "Mark Hughes" To: "Ceri" , "Christoph Sold" Cc: References: <014d01c10ebc$fe3ee5e0$0200a8c0@mark2> <3B554F28.89960778@i-clue.de> <20010718122504.C22510@cartman.techsupport.co.uk> Subject: Re: ppp -nat or natd? Date: Wed, 18 Jul 2001 13:21:47 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > On Wed, Jul 18, 2001 at 10:56:08AM +0200, Christoph Sold said: > > Mark Hughes schrieb: > > > > > > I have a DSL connection, which uses PPPoA through a USB Alcatel Speedtouch > > > "modem". I've got the modem working fine, I was just wondering if there are > > > any benefits to switching to use natd rather than ppp -nat to gate the > > > connection to my network of four windows clients? > > > > The only reason I can think of would be if you want to use ipfw, too. > > Anyhow, having an external dynamic IP combined with ipfw would be a > > major hassle. > > Why ? > Can't you just use the -u and -dynamic flags to natd and use the interface > name in your ipfw ruleset ? > > I'm not having a go, but I'm going to be in this situation soon and that was > my plan. Will it not work ? Hmmmmm...now, I am already using IPFW - is this bad? It seems to be working fine for me right now (aside from some MSN Messenger issues, which I've got to sort out). I've attached my IPFW ruleset and ppp.conf bits, if anyone is interested in pointing out anything I may have done wrong. Thanks, Mark ----- ppp.conf ======== default: allow users * set log Phase Chat LCP IPCP CCP tun command set device /dev/cuaa0 set speed 115200 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK \\dATDT\\T TIMEOUT 40 CONNECT" adsl: accept chap set device localhost:17071/udp set authname xxxxxxxxx set authkey yyyyyyyy set timeout 0 set reconnect 3 1000 set dial "" set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 add default HISADDR enable dns nat enable yes nat port tcp 192.168.0.2:3351 3351 nat port udp 192.168.0.2:7777 7777 nat port udp 192.168.0.2:7778 7778 nat port udp 192.168.0.2:7779 7779 nat port udp 192.168.0.2:29800 29800 ipfw.rules ========== #allow all traffic on the internal network interface as it's nice and trusted add 00400 allow all from any to any via rl0 #allow all rule for testing only #add 00401 allow all from any to any via tun0 #stateful tcp port opening for internet traffic add 00500 check-state add 00501 allow tcp from any to any out setup keep-state via tun0 #HTTP add 00502 pass tcp from any to any 80 in setup keep-state via tun0 #SSH add 00503 pass tcp from any to any 22 in setup keep-state via tun0 #FTP add 00504 pass tcp from any to any 21 in setup keep-state via tun0 add 00505 pass tcp from any 20 to any 1024-65535 setup #port for laptop for whatever add 00506 pass tcp from any to any 3351 via tun0 setup #unreal tourney add 00507 pass udp from any to any 7777 in via tun0 add 00508 pass udp from any to any 7777 out via tun0 add 00509 pass udp from any to any 7778 in via tun0 add 00510 pass udp from any to any 7778 out via tun0 add 00511 pass udp from any to any 7779 in via tun0 add 00512 pass udp from any to any 7779 out via tun0 add 00513 pass udp from any to any 29800 in via tun0 add 00514 pass udp from any to any 29800 out via tun0 #default deny incoming connections add 00550 deny tcp from any to any in established via tun0 #allow certain udp things in/out #DNS add 00700 pass udp from any to 213.120.62.99 53 add 00701 pass udp from 213.120.62.99 53 to any add 00702 pass udp from any to 213.120.62.100 53 add 00703 pass udp from 213.120.62.100 53 to any #allow outgoing pings #add 00800 pass icmp from any to any icmptypes 8 out via tun0 #add 00801 pass icmp from any to any icmptypes 0 in via tun0 add 00802 pass icmp from any to any icmptypes 0,3,4,8,11,12 via tun0 #..but deny all other packets add 00803 deny icmp from any to any #deny outside broadcats add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via tun0 #deny outside SMB monkeys add 64000 deny log udp from any to any 137-139 via tun0 #reject'n'log other connections from outside interface add 65000 deny log ip from any to any via tun0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message