Date: Mon, 17 May 1999 13:49:31 -0700 (PDT) From: Doug White <dwhite@resnet.uoregon.edu> To: daniel B <danielb@pacex.net> Cc: freebsd-questions@FreeBSD.ORG Subject: RE: natd and ipfw woes! Message-ID: <Pine.BSF.4.03.9905171347080.15052-100000@resnet.uoregon.edu> In-Reply-To: <Pine.BSF.3.96.990515103645.7756A-100000@almazs.pacex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 15 May 1999, daniel B wrote: > > Hi list; Please read this you may have the key to end my grief! > > I have a network that looks like this: > > Internet-----[ router ]---[ep1 firewall/gateway ep0]---[ LAN ] > > router=204.1.215.219---ep1=204.1.215.131----ep0=10.0.0.1---LAN= real IPs > > ep1 is external interface with real IP > ep0 is internal interface with dummy IP can't have two nics in the same > subnet so I gave it a fake IP which the outside won't notice. Wrong. > all machines in the LAN have real IPs > Everything is in the same subnet /27 > I am trying to use ipfw with natd on a fbsd 3.1-R firewall/gateway Er, the LAN doesn't need real IPs if you're using NAT. Based on your config they should have 10.0.0.X IPs. > Kernel configured for: > options IPFIREWALL_VERBOSE > options BRIDGE > options IPDIVERT You need options IPFIREWALL too. > sysctl setup: > net.inet.ip.forwarding=1 > net.link.ether.bridge=0 # not sure what the relevance is here > net.link.ether.bridge_ipfw=0 # same here is this relevant to my setup? Don't touch, you're not bridging. > /etc/rc.conf > gateway_enable=YES > firewall_enable=YES > natd_enable=YES > firewall_type=open > > FIREWALL RULES: > $fwcmd add 201 divert natd all from any to any via ep1 > $fwcmd add 202 pass all from any to any > > /etc/services ----> natd 8668/divert > > I want my inside LAN machines to keep their real IPs and want to firewall > them from the outside world. Then don't run NAT and assign your internal LAN interface an address out of their pool. This is a non-trivial setup. Your box is now acting as a router, and your ISP must route those networks down to you. You should contact your ISP for information befre proceeding. If you're using NAT to run the LAN with fake addresses, then you should let your ISP know they don't need to route those addresses anymore. Doug White Internet: dwhite@resnet.uoregon.edu | FreeBSD: The Power to Serve http://gladstone.uoregon.edu/~dwhite | www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.03.9905171347080.15052-100000>