From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 23:14:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B396A16A401 for ; Mon, 2 Apr 2007 23:14:22 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 4D88E13C458 for ; Mon, 2 Apr 2007 23:14:19 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d84.q.ppp-pool.de [89.53.125.132]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 393F5128829 for ; Tue, 3 Apr 2007 01:14:13 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id B54EA3F9E2; Tue, 3 Apr 2007 01:14:00 +0200 (CEST) Message-ID: <46118E35.6060003@vwsoft.com> Date: Tue, 03 Apr 2007 01:13:57 +0200 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Moisa Teodor References: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com> In-Reply-To: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: home multipurpose gateway/router/server setup help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 23:14:22 -0000 On 12/23/-58 20:59, Moisa Teodor wrote: > I wanted to set-up a multipurpose server/gateway/router with an old pc, but > ran into some trouble. > I have an internet connection from a local ISP (it's not cable or adsl it's > ethernet) and a couple of home computers. The ISP has a > litle program that needs to run continously in the background (it connects > to one of my ISP's servers on port 2400) > If that program does not run, i cannot go through the ISP's gateway. > In the past i had another box with smoothwall linux, but the motherboard > crashed. Anyway, on that box i was able to > do the trick. > I have installed FreeBSD. Both network cards are working (sis0 and pcn0). I > runt the ISP's software and i have internet > access. Good. But i want to shre this internet connection with my home LAN. > I read somewhere that i need to recompile > the kernel and enable packet filtering and firewall (the tutorial i used is > located here http://www.lugbe.ch/lostfound/contrib/freebsd_router/). > However, when i reboot with the new kernel I cannot connect to any network, > neither the ISP's nor my home LAN. > I want to use this box as a gateway/router/firewall for my home lan, and > also run some services like a web server for my projects, etc. > > > Thanks a lot for your help, and keep up the good work > Doru Moisa Doru, unfortunately you've taken a rather old how-to for your setup. Of course you may go with IPFILTER (IPFW) firewalling but I would recommend to use pf. If you want to go with IPFW, you have to keep in mind it defaults to deny traffic. If you don't activate a (correct) ruleset, all traffic is being blocked. The last time I've used IPFW is about 2 or 3 years ago so my memory about that is currently somewhat limited. I think the default-to-deny is your problem. You may check that out by temporarily disabling IPFW (using `ipfw disable firewall'). If you want to go with pf as your firewalling solution (a modern, high quality firewall), all you need to do is using a GENERIC kernel and kldload pf.ko, write your ruleset, load it (by `pfctl -f ...' and you're done. As you want to use your box as a router for your home LAN, you may also want to set gateway_enable="YES" in /etc/rc.conf which will set sysctl net.inet.ip.forwarding=1 and your box will act as a router. HTH, Volker