Date: Thu, 17 Jan 2002 16:52:20 -0500 From: "Doug Reynolds" <mav@wastegate.net> To: "freebsd-questions" <freebsd-questions@freebsd.org>, "Steve Brown" <freebsd@prayforwind.com> Subject: Re: Converting dialup firewall to DHCP Message-ID: <20020117215029.2A1FB48449@wastegate.net> In-Reply-To: <3C462B19.10005@prayforwind.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 16 Jan 2002 20:38:33 -0500, Steve Brown wrote: >Hello there, > >I succeeded in putting together a firewall thanks to this article: > >http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/index.html > >works great over dialup or PPPoE. > >But now I'm on a BB router (DHCP) and it no longer works. (on boot I get >lots of "warning: tun0 does not exist" errors) How do I convert it for >use with DHCP? you'll have to change all the tun0 entries to the network interface you have your dhcp connected to.. >Here's what I've got: >in kernel config: > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 # number logs >kept,pick num > options IPDIVERT >in /etc/rc.conf: > firewall_enable="YES" > firewall_script="/etc/firewall/fwrules" > natd_enable="YES" > natd_interface="tun0" here > natd_flags="-dynamic" >here's /etc/firewall/fwrules: > # Firewall rules > # Written by Marc Silver (marcs@draenor.org) > # http://draenor.org/ipfw > # Freely distributable > > > # Define the firewall command (as in /etc/rc.firewall) for easy > # reference. Helps to make it easier to read. > fwcmd="/sbin/ipfw" > > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > # Divert all packets through the tunnel interface. > $fwcmd add divert natd all from any to any via tun0 > > # Allow all data from my network card and localhost. Make sure you > # change your network card (mine was vr0) before you reboot. :) > $fwcmd add allow ip from any to any via lo0 > $fwcmd add allow ip from any to any via vr0 > > # Allow all connections that I initiate. > $fwcmd add allow tcp from any to any out xmit tun0 setup here > # Once connections are made, allow them to stay open. > $fwcmd add allow tcp from any to any via tun0 established here > # Everyone on the internet is allowed to connect to the following > # services on the machine. This example specifically allows connections > # to ssh and apache. > $fwcmd add allow tcp from any to any 80 setup > $fwcmd add allow tcp from any to any 22 setup > > # This sends a RESET to all ident packets. > $fwcmd add reset log tcp from any to any 113 in recv tun0 here > # Allow outgoing DNS queries ONLY to the specified servers. > $fwcmd add allow udp from any to xxx.xxx.xxx.xxx 53 out xmit tun0 > $fwcmd add allow udp from any to yyy.yyy.yyy.yyy 53 out xmit tun0 here > # Allow them back in with the answers... :) > $fwcmd add allow udp from xxx.xxx.xxx.xxx 53 to any in recv tun0 here > # Allow NTP > $fwcmd add allow udp from any to aaa.aaa.aaa.aaa 123 out xmit tun0 > $fwcmd add allow udp from any to bbb.bbb.bbb.bbb 123 out xmit tun0 > $fwcmd add allow udp from aaa.aaa.aaa.aaa to any in recv tun0 > $fwcmd add allow udp from bbb.bbb.bbb.bbb to any in recv tun0 here > # Allow ICMP (for ping and traceroute to work). You may wish to > # disallow this, but I feel it suits my needs to keep them in. > $fwcmd add 65435 allow icmp from any to any > > # Deny all the rest. > $fwcmd add 65435 deny log ip from any to any > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > --- doug reynolds | the maverick | mav@wastegate.net PGP Public Key Fingerprint: 6E7B 9993 B503 6D45 E33A 2019 26E5 C1DB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020117215029.2A1FB48449>