Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 9 Feb 1995 12:08:57 -0600
From:      Matt Richards <richards@vinny.cecer.army.mil>
To:        ugen@netvision.net
Cc:        questions@FreeBSD.org
Subject:   RE: Firewall help
Message-ID:  <199502091808.MAA05985@vinny.cecer.army.mil>

Next in thread | Raw E-Mail | Index | Archive | Help
----------
X-Sun-Data-Type: text
X-Sun-Data-Description: text
X-Sun-Data-Name: text
X-Sun-Content-Lines: 79



----- Begin Included Message -----

>From ugen@netvision.net.il Wed Feb  8 12:00:03 1995
Date: Wed,  8 Feb 95 10:32:46 IST
From: "Ugen J.S.Antsilevich" <ugen@netvision.net.il>
Subject: RE: Firewall help 
To: Matt Richards <richards@vinny.cecer.army.mil>
X-Mailer: Chameleon 4.00-Arm-25, TCP/IP for Windows, NetManage Inc.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 2069


>The gateway option is compiled in the kernel.  Routed is running (I tried the
>-q (default) and then the -s option).  I couldn't find any documentation on
>setting up FreeBSD as a firewall or router.  Any information on how to set
>up a machine as a firewall would be greatly appreciated. 
>Hmm..very strange behavior...I will check things and see what happanes.For now
>could you say if:
> You able to traceroute something via both network interfaces???

How do I choose which interface to use when I traceroute thru to something.
Traceroute doesn't have a -I for interface that I can find.

> You able to ping from outside and telnet both ineterfaces?

I can ping each interface and telnet to each interface when they are both on the
same net, but when I separate ed0 and ed1 and make ed0 on the net and ed1 a 
test network with a single machine attached to it, I can't telnet to ed1 or any other machine past the FreeBSD machine but I can telnet from any machine on the net to ed0 but not to ed1.

>Did you tried to disable routed and add manually static routes as the beginning

How do I do I add manually static routes?

>And describe more precisely your configuration so i'll be able to help.I am wor>king on FAQ about IP gateways,firewalling and stuff but it goes slow along with>other jobs...Besides my english is bad

Do I need a gateways file in /etc? I tried to make one and it did nothing that
I could tell.  I tried several configurations finally ending with the folowing
not doing anything visible:

host 129.229.40.152 gateway 129.229.40.151 metric 0 active
host 129.229.40.151 gateway 129.229.40.152 metric 0 active

I feel like I'm shooting in the dark because I can't quite figure out what is
required to get the to cards working together. 

I have two Eagle NE2000+ (the real thing, not a clone NIC) cards installed:

ed0 at 0x280-0x29f irq 5 on isa
ed1 at 0x300-0x31f irq 10 on isa

Attached is the IPFIREWALL config file I used to compile the kernel.

I placed a hostname.ed0 and hostname.ed1 in /etc to assign different IP numbers to each interface at bootup. 

hostname.ed0 reads:
129.229.40.151 netmask 0xffffff00
hostname.ed1 reads:
129.229.40.152 netmask 0xffffff00

Both ed0 and ed1 ifconfig at bootup.

These IP numbers are unique and are not used by any other machine.

I added the IP numbers and hostnames to /etc/hosts

I changed the following in /etc/netstart:

routedflages=-q    to    routedflages=-s
and
#gated=YES    to     gated=YES

Do I need to change /etc/networks at all to reflect what I've done?

Thanks for the help,

Matt
----------
X-Sun-Data-Type: default
X-Sun-Data-Description: default
X-Sun-Data-Name: IPFIREWALL
X-Sun-Content-Lines: 78

#
# IPFIREWALL -- Sample Generic kernel suitable for building an IP firewall.
#
#	IPFIREWALL,v 1.2 1994/11/13 10:17:07 gibbs Exp
#

machine		"i386"
cpu		"I486_CPU"
ident		IPFIREWALL
maxusers	10

options		INET			#InterNETworking
options		FFS			#Berkeley Fast File System
options		NFS			#Network File system
options		PROCFS			#Process filesystem
options		"COMPAT_43"		#Compatible with BSD 4.3
options		UCONSOLE		#X Console support
options		"SCSI_DELAY=15"		#Be pessimistic about Joe SCSI device
options		"NCONS=4"		#4 virtual consoles
options		BOUNCE_BUFFERS		#include support for DMA bounce buffers
options		USERCONFIG		#Allow user configuration with -c
options		GATEWAY			#Pass packets
options		IPFIREWALL		#firewall code
options		IPFIREWALL_VERBOSE	#print information about dropped packets
options		IPBROADCASTECHO=1       #send reply to broadcast pings
options		IPMASKAGENT=1           #send reply to icmp mask requests

config		kernel	root on wd0 swap on wd0 and wd1 and sd0 and sd1 dumps on wd0

controller	isa0

controller	fdc0	at isa? port "IO_FD1" bio irq 6 drq 2 vector fdintr
disk		fd0	at fdc0 drive 0
disk		fd1	at fdc0 drive 1

controller	wdc0	at isa? port "IO_WD1" bio irq 14 vector wdintr
disk		wd0	at wdc0 drive 0
disk		wd1	at wdc0 drive 1

controller	pci0
controller	ncr0

controller	aha0	at isa? port "IO_AHA0" bio irq ? drq 5 vector ahaintr
controller	scbus0

device		sd0
device		sd1
device		sd2
device		sd3

device		st0
device		st1

device		cd0	#Only need one of these, the code dynamically grows

device		wt0	at isa? port 0x300 bio irq 5 drq 1 vector wtintr
device		mcd0	at isa? port 0x300 bio irq 10 vector mcdintr

device		sc0	at isa? port "IO_KBD" tty irq 1 vector scintr
device		npx0	at isa? port "IO_NPX" irq 13 vector npxintr

device		sio0	at isa? port "IO_COM1" tty irq 4 vector siointr
device		sio1	at isa? port "IO_COM2" tty irq 3 vector siointr

device		lpt0	at isa? port? tty irq 7 vector lptintr

device ed0 at isa? port 0x280 net irq  5 iomem 0xd8000 vector edintr
device ed1 at isa? port 0x300 net irq 10 iomem 0xcc000 vector edintr

pseudo-device	loop
pseudo-device	ether
pseudo-device	log
pseudo-device	ppp	2
pseudo-device	sl	2
pseudo-device	pty	16
pseudo-device	speaker
pseudo-device	gzip		# Exec gzipped a.out's
pseudo-device   bpfilter  1



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?199502091808.MAA05985>