Date: Wed, 17 Sep 2003 14:29:22 -0400 From: "Bob Hall" <rjhjr@cox.net> To: freebsd-questions@freebsd.org Subject: Re: firewall Message-ID: <20030917182921.GA12360@kongemord.krig.net> In-Reply-To: <20030917172325.5e2f64a9.y2kbug@ms25.hinet.net> References: <20030917172325.5e2f64a9.y2kbug@ms25.hinet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At this point, I'm a little confused. You said previously that this would be the only machine that accessed the Internet via PPP. Now you're setting it up as the gateway, which means that other machines will be accessing the Internet via PPP on your gateway. To reiterate from an earlier post, you have three options: 1) This is not a gateway. You need PPP and a firewall. 2) This is a gateway. You need PPP, a firewall, and NAT implemented via user PPP. 3) This is a gateway. You need PPP, a firewall, and NAT implemented via the firewall. Decide on an option, and tell us which you're going to implement. On Wed, Sep 17, 2003 at 05:23:25PM +0800, Robert Storey wrote: > In the continuing saga of my firewall configuration... > > One kind member of this list suggested I must compile this into my > kernel: > > options IPDIVERT You need that only for option 3. You also need options IPFIREWALL for any of the three options. > So I did that, and it made a difference though it didn't solve the > problem. Previously, whenever I started ppp, if I attempted to ping I > would get this error message: > > bob@sonic:~> ping slashdot.org > ping: cannot resolve slashdot.org: Host name lookup failure > > Now when I ping, I get no response - no error messages, but no other > feedback. I think this is an improvement, but something is still > preventing me from getting a response from ppp. > > To reiterate, this is everything I've done so far: > > FROM /etc/rc.conf: > > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="simple" > natd_enable="YES" > natd_interface="ppp0" > > FROM /etc/rc.firewall: > > # set these to your outside interface network and netmask and ip > oif="ppp0" > onet="168.95.0.0" > omask="255.255.255.255" > oip="168.95.0.0" oip = Outer IP address. 168.95.0.0 is not your oip. Once again, the oip is found in the ppp0 section of the output from "ifconfig -a". It changes every time you dial up. > # set these to your inside interface network and netmask and ip > iif="vr0" > inet="192.168.0.0" > imask="255.255.255.0" > iip="192.168.0.2" > > Kernel recompile: > options IPDIVERT See above. > CONTENT OF /etc/hosts: > # > ::1 localhost localhost.utopia.com > 127.0.0.1 localhost localhost.utopia.com > # > 192.168.0.3 ibm.utopia.com ibm > 192.168.0.2 sonic.utopia.com sonic > 192.168.0.1 pro.utopia.com pro I use local DNS, so I've never manually written anything in my hosts file, but I think you need to add an address for DNS lookup. It's possible that this is entered automatically when you dial up. As I said, I don't do DNS this way, so I'm not sure how your setup should work. > I also used sysinstall to designate this machine as a gateway. Was that > the right thing to do? Tell us whether or not you've decided to use this machine as a gateway. You can't proceed, and we can't help you, until you make that decision. If you decide to use this machine as a gateway, then you have to decide how you're going to implement NAT. Again, you can't proceed, and we can't help you, until you decide. You have to pick one of the three options listed at the top. Bob Hall
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030917182921.GA12360>