From owner-freebsd-questions  Mon Jun  4  6:46:37 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id 53C8E37B401
	for <freebsd-questions@FreeBSD.ORG>; Mon,  4 Jun 2001 06:46:34 -0700 (PDT)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f54F4nr86443;
	Mon, 4 Jun 2001 10:04:49 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Mon, 4 Jun 2001 10:04:49 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: tinnakorn kunasit <tinnakorn2000@hotmail.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: ipfirewall
In-Reply-To: <F99eKljq65Rn8P5o7P60000d21f@hotmail.com>
Message-ID: <Pine.BSF.4.21.0106040955140.86339-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, 4 Jun 2001, tinnakorn kunasit wrote:

>  
> dear sir
>       I am install FreeBSD 4.2 but can not set firewall.
>  
>       In my system have 2 network card
>  
>                         rl0 203.151.42.62
>                         rl1 10.0.0.1

>             
>       I want to make ip masquerade forward ip from inside (rl1) to
> outside (rl0)
>       How I can make it?

>     
>  I tried to set
>     
> 1.   add options for ipfirewall and recompile kernel
>   
>             options IPFIREWALL
>             options IPDIVERT
>             options IPFIREWALL_VERBOSE
>             options IPFIREWALL_VERBOSE_LIMIT=100
>             options IPFIREWALL_DEFAULT_TO_ACCEPT
>  
>  2.   in /etc/service
>              natd     6668/divert
>  
> 3.   enable firewall line in /etc/rc.conf
>             firewall_enable="YES"
>             firewall_script="/etc/rc.firewall"
>               
> 4.  edit file /etc/rc.firewall
>              /sbin/ipfw -f flush
>              /sbin/ipfw -q add 100 pass all from any to any via lo0
>             /sbin/ipfw  -q add 200 pass all from any to 127.0.0.0/8
>             /sbin/ipfw  -q add 300 pass all from any to any

		This line (#300) should be after the divert line.

>  
>             /sbin/sysctl -n -w net.inet.ip.forwarding=1
>            /sbin/natd -l -d  auth -m -u  -n rl1 -dynamic

	Should be the rl0 interface, not rl1.  So "-n rl0"

>            /sbin/ipfw add divert natd all from any to any out
>            /sbin/ipfw add divert natd all from any to any in
>  
	This rule should be:

		add divert natd all from any to any via rl0


Nick Rogness <nick@rogness.net>
 - Keep on Routing in a Free World...
  "FreeBSD: The Power to Serve!"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message