From owner-freebsd-stable Sun Jul 7 22:34:43 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8828937B400 for ; Sun, 7 Jul 2002 22:34:40 -0700 (PDT) Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 252EC43E09 for ; Sun, 7 Jul 2002 22:34:40 -0700 (PDT) (envelope-from oistrakh@earthlink.net) Received: from user-1121008.dsl.mindspring.com ([66.32.128.8] helo=pirastro.oistrakh.org) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 17RRA8-0007mL-00; Mon, 08 Jul 2002 01:34:16 -0400 Received: from pirastro.oistrakh.org (localhost [127.0.0.1]) by pirastro.oistrakh.org (8.12.3/8.12.3) with ESMTP id g685YJUo097362; Sun, 7 Jul 2002 22:34:19 -0700 (PDT) (envelope-from oistrakh@earthlink.net) Received: (from oistrakh@localhost) by pirastro.oistrakh.org (8.12.3/8.12.3/Submit) id g685Y8Zr096359; Sun, 7 Jul 2002 22:34:08 -0700 (PDT) X-Authentication-Warning: pirastro.oistrakh.org: oistrakh set sender to oistrakh@earthlink.net using -f Date: Sun, 7 Jul 2002 22:34:08 -0700 From: Christian Chen To: Brossin Pierrick Cc: freebsd-stable@FreeBSD.ORG Subject: Re: FreeBSD Server and Gateway Message-ID: <20020708053408.GA28499@earthlink.net> References: <000801c225c9$bba4d030$3200000a@nitrox> <20020707173947.GA250@theshell.com> <000301c225f0$e43dcf70$3200000a@nitrox> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000301c225f0$e43dcf70$3200000a@nitrox> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Trying to do firewall/NAT/gateway via PPPoE under FreeBSD is a bit tricky. Most HOWTO's that I've found only deal with this via a less lame internet connection. But basically, you need to get PPPoE up and running first. There are several HOWTOs for setting that up. Assuming that you have that running, you will then have an internet connection via tun0. What will happen once you have everything set up is that any packets from other machines on your internal network are going to come in via your ethernet connection (let's say xl0), get routed to tun0 by NAT, and then go out through tun0 to the internet. The process will be reversed when the packets come back in. So, theoretically what you need to do is: 1. Set up NAT to route between your ethernet card and tun0 2. Set up a set of firewall rules using ipf that will block certain traffic trying to come in from tun0 and go to NAT. Problem is, I could never actually get step 2 to work properly. I'm certainly not a networking guru, so I'm sure it's my own incompetence that prevented me from getting it to work. But what I've found works equally well (at least, I *think* it's working equally well!) is to use the firewall features of PPP to block incoming packets on tun0. "man ppp.conf" will tell you how to set this up, and there are also examples in /usr/share/examples/ppp. So, what I'm actually doing is: 1. Set up NAT to route between my ethernet card and tun0 2. Set up the firewall rules via PPP I'm not running ipf at all. This appears to work properly from all the testing I've been able to do. Whether it works as efficiently as ipf would, or is flexible enough for your needs, I don't know. Christian Chen On Sun, Jul 07, 2002 at 10:00:07PM +0200, Brossin Pierrick wrote: > As you may see, I'm really confused with IPFilter NAT IP Masquerading .... > Can someone take the time to explain or give the url of a page please.. I > can't find any ? > > Regards, > > Pierrick > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message