From owner-freebsd-questions@FreeBSD.ORG  Tue Sep  2 14:46:16 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id C51D116A4C0; Tue,  2 Sep 2003 14:46:16 -0700 (PDT)
Received: from magus.nostrum.com (magus.nostrum.com [208.21.192.130])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2DE7343FF2; Tue,  2 Sep 2003 14:46:15 -0700 (PDT)
	(envelope-from pckizer@nostrum.com)
Received: from magus.nostrum.com (pckizer@localhost [127.0.0.1])
	by magus.nostrum.com (8.12.9/8.12.9) with ESMTP id h82Ljadv047365;
	Tue, 2 Sep 2003 16:45:36 -0500 (CDT)
	(envelope-from pckizer@magus.nostrum.com)
Received: (from pckizer@localhost)
	by magus.nostrum.com (8.12.9/8.12.9/Submit) id h82LjaPb047363;
	Tue, 2 Sep 2003 16:45:36 -0500 (CDT)
	(envelope-from pckizer)
Message-Id: <200309022145.h82LjaPb047363@magus.nostrum.com>
From: Philip Kizer <pckizer@nostrum.com>
To: Donald Burr of Borg <dburr@borg-cube.com>
In-reply-to: Your message of "Tue, 02 Sep 2003 12:36:29 PDT."
             <20030902123500.E23798@borg-cube.com> 
Date: Tue, 02 Sep 2003 16:45:36 -0500
Sender: pckizer@nostrum.com
cc: freebsd-net@freebsd.org
cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: Need help with strange routing situation 
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Sep 2003 21:46:17 -0000

Donald Burr of Borg <dburr@borg-cube.com> wrote:
[Description of:]
>Our gateway machine and server gets its own IP,              IP A.
>My desktop machine is hooked up via ethernet.  It should get IP B.
>Same thing as above for my roomie's desktop, except it gets  IP C.
>[all else] Ideally I'd like them to be NAT'ted behind        IP A

Not really that strange a routing situation, and definitely pretty easy,
here's one possible way:

# KERNCONF, make sure you have:
options         IPFILTER                #ipfilter support

# rc.conf settings:
ipfilter_enable="YES"           # Set to YES to enable ipfilter functionality
ipnat_enable="YES"              # Set to YES to enable ipnat functionality

# ipnat.rules example [change $variables to match your numbers]:
bimap $ext_eth $IP_B_INT/32 -> $IP_B/32 # your desktop
bimap $ext_eth $IP_C_INT/32 -> $IP_C/32 # roomie's desktop
map   $ext_eth $INT_NET/16  -> 0/32 proxy port ftp ftp/tcp
map   $ext_eth $INT_NET/16  -> 0/32 portmap tcp/udp auto
map   $ext_eth $INT_NET/16  -> 0/32

# ipf.rules incomplete example [many $variables to change]:
### Put whatever default 'quick' blocks you want, RFC1918, anti-spoofing, etc.
### Hopefully your ISP has sane edge rules and would block them, but
### definitely put RFC1918 blocks in here too keep your private-address
### space from ever leaking out to your provider or the Internet.
block out log quick on $ext_eth from 192.168.0.0/16 to any
### etc...
### Then default to blocking:
block in log on $ext_eth
block return-rst                    in on $ext_et proto tcp from  any to any
block return-icmp-as-dest(port-unr) in on $ext_et proto udp from  any to any
block return-icmp-as-dest           in on $ext_et proto icmp from any to any
### Allow out verything and keep state on it:
pass out quick on $ext_eth proto tcp  from $EXT_NET/28 to any flags S keep state
pass out quick on $ext_eth proto udp  from $EXT_NET/28 to any         keep state
pass out quick on $ext_eth proto icmp from $EXT_NET/28 to any         keep state
# Allow state-capable ICMP in, add/etc as needed:
pass in  quick on $ext_eth proto icmp from any to any icmp-type echo keep state
### Allow services for desktop B
pass in quick on $ext_eth proto tcp from any to $IP_B port = 22 flags S keep state
pass in quick on $ext_eth proto tcp from any to $IP_B port = $YOUR_PROTOCOLS flags S keep state
### Ditto for C ...
### Put some rules to allow local-net to talk to the gateway and visa versa ...


There's a lot more examples to be found in:
    /usr/share/examples/ipfilter
    http://coombs.anu.edu.au/~avalon/
    http://www.phildev.net/ipf/
    http://www.obfuscation.org/ipf/


Once you get into it and begin working on your own rules to meet your needs,
tcpdump is your best friend; don't forget "-i" to be sure what is being
sent and received on each interface so you can compare it with the firewall
and NAT rules.  Just use typical problem solving methods, Slowly building
it up from one working system to the whole set is the way to go, change as
few variables at a time as you can.


-p