From owner-freebsd-questions Fri Dec 22 2:15: 7 2000 From owner-freebsd-questions@FreeBSD.ORG Fri Dec 22 02:15:02 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from hotmail.com (f148.law7.hotmail.com [216.33.237.148]) by hub.freebsd.org (Postfix) with ESMTP id 6494D37B400 for ; Fri, 22 Dec 2000 02:15:02 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 22 Dec 2000 02:15:02 -0800 Received: from 202.12.71.6 by lw7fd.law7.hotmail.msn.com with HTTP; Fri, 22 Dec 2000 10:15:02 GMT X-Originating-IP: [202.12.71.6] From: "arash nezhad" To: freebsd-questions@freebsd.org Subject: ipfw, nat, gateway problems Date: Fri, 22 Dec 2000 20:45:02 +1030 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 22 Dec 2000 10:15:02.0316 (UTC) FILETIME=[0BFACEC0:01C06C00] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Ok here it is .. I thought it would be best to give u my entire setup and the contents of all my files as it would make it easier that way Now ive compiled my kernel with the following options: options IPFIREWALL options IPDIVERT options TCP_DROP_SYNFIN options TCP_RESTRICT_RST options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 Now i originally had also added: options IPFIREWALL_DEFAULT_TO_ACCEPT But being the very paranoid person i am, i wanted to make a default deny firewall and only allow the services i wanted in and out. Now for setting up the basic network, I consulted the "Pedantic PPP Primer" at http://www.freebsd.org/tutorials/ppp/index.html Now this worked originally with default to accept in the kernel and packets where routed from my gateway to my workstation so i was able to utilise 'ppp -nat myisp' in doing this, but i did not have a firewall at the time as i wanted to make sure the NATpacket diverting would work and it did eventually. Now the contents of my /etc/rc.conf file is as follows: hostname="curly.my.domain" # same as the example in the tutorial # Enable network daemons for user convenience. # -- sysinstall generated deltas -- # sendmail_enable="YES" sshd_enable="YES" portmap_enable="NO" nfs_server_enable="NO" inetd_enable="NO" usbd_enable="NO" gateway_enable="YES" network_interfaces="ed1 lo0" ifconfig_lo0="inet 127.0.0.1" ifconfig_ed1="inet 192.168.1.1 255.255.255.0" firewall_enable="YES" firewall_quiet="YES" firewall_type="/etc/firewall/fwrules" kern_securelevel="1" kern_securelevel_enable="YES" Now here is my ruleset as in /etc/firewall/fwrules: add 00200 allow ip from any to any via lo0 add 00201 allow ip from any to any via ed1 add 00203 allow ip from any to any out via tun0 add 00204 pass all from any to any out via tun0 add 00205 pass all from any to any via ed1 add 00206 pass tcp from any to any established add 00210 pass tcp from any to any out via tun0 add 00310 allow tcp from 203.173.250.4 to any in recv tun0 add 00311 allow tcp from 203.173.250.2 to any in recv tun0 add 00320 allow tcp from any to any 21 in recv tun0 setup add 00321 allow tcp from any to any 23 in recv tun0 setup add 00333 allow tcp from any to any 113 in recv tun0 setup add 00400 allow udp from 203.173.250.4 to any in recv tun0 add 00401 allow udp from 203.173.250.2 to any in recv tun0 add 00600 allow icmp from 203.173.250.4 to any in recv tun0 add 00601 allow icmp from 203.173.250.2 to any in recv tun0 add 00610 allow log icmp from any to any in recv tun0 icmptype 3 add 00611 allow icmp from any to any out recv tun0 icmptype 3 add 00612 allow log icmp from any to any in recv tun0 icmptype 8 add 00613 allow icmp from any to any out recv tun0 tcmptype 8 add 00614 allow log icmp from any to any in recv tun0 icmptype 0 add 00615 allow icmp from any to any out recv tun0 icmptype 0 add 00700 deny log all from any to any also, where 203.173.250.4 and 203.173.250.2 = my isp's dns server ip's I guess once the ruleset is fixed up i would also need a rule to get icq/irc and irc DCC to work , so if you could fill me in on those that will be great thanks. Now when i type 'ipfw list' i see pretty much the same thing except for log logamount in the place of log also have "add 00200 deny ip from any to 127.0.0.0/8" which i did not add myself. i guess thats normal. Contents of /etc/hosts: 127.0.0.1 localhost localhost.my.domain 192.168.1.1 curly curly.my.domain # gateway/router box 192.168.1.2 larry larry.my.domain # FreeBSD box Now here is the contents of my /etc/ppp/ppp.conf default: ident user-ppp VERSION (built COMPILATIONDATE) set device /dev/cuaa0 set log Phase Chat LCP IPCP CCP tun command set speed 115200 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0M0 OK-AT-OK\\dATDT\\T TIMEOUT 40 CONNECT" disable pred1 deny pred1 disable lqr deny lqr set timeout 0 set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0 add 0 0 127.2.2.2 add default HISADDR enable dns myisp: set phone 11111111 set authname username set authkey password set timeout 0 set openmode active accept chap set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0 add 0 0 127.2.2.2 Also for the sake of completness my /etc/resolv.conf file has: nameserver 203.173.250.4 nameserver 203.173.250.2 When i want to connect i would normally do: curly# ppp -nat myisp curly# dial myisp That will get me connected, but thats about all it does I try ping ihug.com.au (my isp) and i get nothing, used to work with default accept option in kernel, obvious i guess. Now i can ping inside boxes like curly and larry, and localhost Because this is a bare bones router box with just the kernel and bin files theres not a lot else i can do i believe. Thanks again, merry christmas Regards Arash _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message