Date: Wed, 01 Mar 2000 10:41:04 -0500 From: yves@radicaux-libres.qc.ca (Yves Berthiaume) To: cjclark@home.com, Bhishan Hemrajani <bhishan@cytosine.dhs.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Problem with IP aliasing Message-ID: <v02130501b4e2e4d20327@[192.168.0.3]>
next in thread | raw e-mail | index | archive | help
At 12:26 AM 3/1/00, Crist J. Clark wrote:
>> Also, you should be starting natd like this:
>> natd -n xl1
>
>If he is using the stock rc.firewall, he is fine if he has,
>
> natd_enable="YES"
> natd_interface="xl1"
>
>Set in his rc.conf.
Here's my rc.conf file
# -- sysinstall generated deltas -- #
ifconfig_xl0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_xl1="inet 207.236.242.12 netmask 255.255.255.240"
ifconfig_xl1_alias0="inet 207.236.242.5 netmask 0xffffffff0"
moused_port="/dev/psm0"
moused_enable="NO"
defaultrouter="207.236.242.1"
network_interfaces="xl1 xl0 lo0"
hostname="priscilla.ironhorsemultimedia.com"
gateway_enable="YES"
inetd_enable="YES" # Enable INETD Super-Daemon
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_type="simple" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="xl1" # Public interface to use with natd.
natd_flags="-s -m" # Additional flags for natd.
named_enable="NO" # Run named, the DNS server (or NO).
named_program="named" # path to named, if you want a different one.
named_flags="" # Flags for named
nfs_client_enable="NO" # This host is an NFS client (or NO).
nfs_client_flags="-n 4" # Flags to nfsiod (if enabled).
nfs_access_cache="2" # Client cache timeout in seconds
nfs_server_enable="NO" # This host is an NFS server (or NO).
nfs_server_flags="-u -t -n 4" # Flags to nfsd (if enabled).
mountd_flags="-r" # Flags to mountd (if NFS server enabled).
nfs_reserved_port_only="NO" # Provide NFS only on secure port (or NO).
rpc_lockd_enable="NO" # Run NFS rpc.lockd (*broken!*) if nfs_server.
rpc_statd_enable="YES" # Run NFS rpc.statd if nfs_server (or NO).
portmap_enable="YES" # Run the portmapper service (or NO).
portmap_flags="" # Flags to portmap (if enabled).
lpd_enable="NO" # Run the line printer daemon.
sendmail_enable="YES" # Run the sendmail daemon (or NO).
sendmail_flags="-bd -q30m" # -bd is pretty mandatory.
clear_tmp_enable="YES" # Clear /tmp at startup.
update_motd="YES" # update version info in /etc/motd (or NO)
>
>However, his configuration of xl1 is definately wrong,
>
> ifconfig_xl1="inet 207.236.242.12 netmask 255.255.255.240"
> ifconfig_xl1_alias0="inet 207.236.242.5 netmask 0xffffffff0"
> ^^^^^^^^^^^
>You've got a eight-and-a-half byte number there? :) It should read,
>0xffffffff (or 255.255.255.255).
>
>Please post _complete_ rc.conf and rc.firewall.
>--
>Crist J. Clark cjclark@home.com
Here's my rc.firewall file. Take note that I'm taking over somebody else's
job and He made some very strange setting especially the UDP section... And
most of it is undocumented.
Also I'm not using named or ntp on this server... So far it has'nt been a
problem.
############
# This is a prototype setup for a simple firewall. Configure this machine
# as a named server and ntp server, and point all the machines on the insi$
# at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="xl1"
onet="207.236.242.0"
omask="255.255.255.240"
oip="207.236.242.12"
# set these to your inside interface network and netmask and ip
iif="xl0"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.1"
# Deactivate firewall and let all traffic through for internal interface
$fwcmd add pass all from any to any in via ${iif}
# Allow all internal traffic
$fwcmd add pass all from ${inet}:${imask} to any
$fwcmd add pass all from any to ${inet}:${imask}
$fwcmd add pass all from ${oip} to any
# UDP Section
# Deny external netbios connections
$fwcmd -q add deny udp from any 137 to any in via ${oif}
$fwcmd -q add deny udp from any to any 137 in via ${oif}
# allow all udp inside or outside
$fwcmd -q add pass udp from any to any
# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow setup of ftp
$fwcmd add pass tcp from any to ${oip} 20 setup
$fwcmd add pass tcp from any to ${oip} 21 setup
# Allow setup of ssh
$fwcmd add pass tcp from any to ${oip} 22 setup
#Allow incoming POP3 connections
$fwcmd add pass tcp from any to any 110 setup
# Allow setup of incoming email
$fwcmd add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
$fwcmd add pass tcp from any to ${oip} 80 setup
# Allow access to HTTPS
$fwcmd add pass tcp from any to ${oip} 443 setup
# Allow access to webmin
$fwcmd add pass tcp from any to ${oip} 10000 setup
# allow misc remote ftp deamons to setup receiving ports
$fwcmd -q add pass tcp from any to any 1024-4099 setup
$fwcmd -q add pass tcp from any to any 40000-44999 setup
# Everything else is denied as default.
_______________________________________________
Radicaux Libres Solutions technologiques
Yves Berthiaume 4644 Parthenais
T:514.529.0989 Montreal, Quebec
F:514.529.4633 H2H 2G7
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v02130501b4e2e4d20327>