From owner-freebsd-questions@FreeBSD.ORG Fri Jul 18 01:00:33 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F48C37B401 for ; Fri, 18 Jul 2003 01:00:33 -0700 (PDT) Received: from aviti.net (aviti.net [217.144.68.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB75143F75 for ; Fri, 18 Jul 2003 01:00:31 -0700 (PDT) (envelope-from life@zone3000.net) Received: from zone3000.kharkov.ua ([217.144.68.98] helo=adserver.zone3000.net) by aviti.net with esmtp (Exim 4.14) id 19dQAG-000Gbj-6Q for freebsd-questions@freebsd.org; Fri, 18 Jul 2003 11:00:28 +0300 Received: from narik ([10.1.1.36]) by adserver.zone3000.net with Microsoft SMTPSVC(5.0.2195.5329); Fri, 18 Jul 2003 11:06:10 +0300 Message-ID: <003801c34d02$a679f670$2401010a@zone3000.net> From: "Vitali Malicky" To: "Frans-Jan v. Steenbeek" , References: <1058500610.260.8.camel@FST777> Date: Fri, 18 Jul 2003 11:00:27 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-OriginalArrivalTime: 18 Jul 2003 08:06:10.0531 (UTC) FILETIME=[72F38B30:01C34D03] X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19dQAG-000Gbj-6Q*62yA/nC4QCw* Subject: Re: building a routing machine X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vitali Malicky List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2003 08:00:33 -0000 > Hi folks, hi, man. > > I've enabled routed on both systems, (-s on the webserver, -q on the it not necessary at all! set your default router in rc.conf (ask your University admin about its IP) you just look at "sysctl -a net.inet.ip.forwarding" if it equals "0" then "sysctl -w net.inet.ip.forwarding=1" (in rc.conf this variable is set by gateway_enable="YES") then you need a natd just "touch /etc/natd.conf" and edit it so that it contained something like log yes #log_denied yes port 8668 use_sockets yes same_ports yes unregistered_only yes alias_address ???.???.???.??? #your PUBLIC IP ### #EOF ### run natd "/sbin/natd -f /etc/natd.conf &" edit /etc/rc.firewall to contain approximately the following #!/bin/sh /bin/echo -n "Firewall... " #################### Flush All Chains And Pipes ######################## /sbin/ipfw -q -f flush /sbin/ipfw -q -f pipe flush #################### lo0 ########################################### /sbin/ipfw -q add 00001 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 #################### public ######################################### /sbin/ipfw -q add 00002 divert natd all from any to any in recv fxp0 #change fxp0 to your NIC name /sbin/ipfw -q add 00003 divert natd all from any to any out xmit fxp0 #change fxp0 to your NIC name #################### Firewall (icmp) ################################### # /sbin/ipfw -q add 65527 deny icmp from any to ${LocalNET} # /sbin/ipfw -q add 65528 deny icmp from ${LocalNET} to any /sbin/ipfw -q add 65529 allow icmp from any to any #################### Firewall Logging ########################### /sbin/ipfw -q add 65530 deny log all from any to any ipopt rr /sbin/ipfw -q add 65531 deny log all from any to any ipopt ts /sbin/ipfw -q add 65532 deny log all from any to any ipopt ssrr /sbin/ipfw -q add 65533 deny log all from any to any ipopt lsrr /sbin/ipfw -q add 65534 deny log all from any to any ############ echo " configured." ### (this is a fragment of my ip.firewall which is too long to quote here...) and execute the file (chmod 500 rc.firewall, you know, first... ;)) it should work. if not, ufff... than you will have to rebuild the FBSD kernel with IPDIVERT, IPFIREWALL and things, and things, and things... and repeat the said above... I envy you if you're gonna do the kernel rebuid for the first time :) it's a fascinating, absorbing and captivating procedure like playing chess with a very strong chessplayer :) see here http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-confi g.html and good luck!!! -- Error Code=-1 Continue? Yes | No -- > desktop) but that doesn't seem to be enough. I've read something about > routing and gateways in the handbook, but I didn't quite get it. So can > anyone help me out? > > Please CC me, I'm not (anymore) a user on this list. Thanks! > > -- > tcGB <>< Fi-Ji ><> > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"