Date: Fri, 8 Oct 1999 15:51:48 -0400 (EDT) From: Mikhail Teterin <mi@aldan.algebra.com> To: Joe Huddleston <huddles@tcac.net> Cc: questions@freebsd.org Subject: Re: natd, ftp, two ethernet cards Message-ID: <199910081951.PAA57289@misha.cisco.com> In-Reply-To: <99100722400700.00924@s097-cdm44.amar.tcac.net> from Joe Huddleston at "Oct 7, 1999 10:37:13 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Joe Huddleston once wrote: > I am trying to set up a firewall for my home network, and am having > problems with natd and ipfw. Would it be possible for you to email me > a quick overview of what you did to get your gateway working? 1. Your in-house lan must use one of the designated private network numbers (see RFC 1918): 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 This simplifies things tremendously, because natd knows about this and needs no special tweaking in this case. 2. All of your private machines need to have the gateway machine as their default router (this is almost always the case). 3. Now here is my example. My gateway machine has two interfaces: ep0 - 10.10.0.2 - on the private LAN ep1 - 24.218.x.x - to the cable modem The relevant firewall rule is: ipfw -q add divert natd tcp from any to any via ep1 This means, that anything that tries to get out to the outside world should be diverted to the natd-service, where the NAT-daemon is listening. The natd's command line is "natd -n ep1 -u -s". That's it. 4. To do this nicely, through the /etc/rc.conf, I would: natd_enable="YES" natd_interface="ep1" natd_flags="-u -s" firewall_enable="YES" 5. I strongly urge you to set up other firewall rules to protect your LAN. The amount of probes my firewall reports sometimes shocks me. It will also help keep your curious Internet provider from figuring out what OS you are running -- there are reports of @Home, for example, checking this and denying support to anything other then Windoz or MAC. Consult /etc/rc.firewall for more... Hope, this helps. Yours, -mi P.S. I'm CC-ing this to questions, so that it is archived for future generations :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199910081951.PAA57289>