Date: Tue, 13 Jun 2000 00:08:00 +0200 (CEST) From: abgoeree@uwnet.nl To: freebsd-questions@freebsd.org Subject: Question about ipfw and user ppp+nat Message-ID: <200006122206.AAA18483@mars.uwnet.nl>
next in thread | raw e-mail | index | archive | help
Hi,
I am setting up a FreeBSD (3.4-RELEASE) box as an dialup internet
gateway/firewall for my home network. The general idea looks like
this:
home network
internet <--------->| firewall box |<---------> 192.168.1.0/24
dev=tun0 dev=ed1
ip=dynamic ip=192.168.1.254
Packet filtering is done by ipfw. I connect to the internet from the
firewall box via user ppp with ip aliasing enabled.
After i am connected i browse the internet from some other FreeBSD box
on the home network. This works well untill i apply the following
rules to drop packets to and from private ip addresses (RFC1918) at
the outgoing device (tun0).
Here is part of my /etc/rc.firewall which shows the rules:
outdev="tun0"
fwcmd="ipfw"
rfc1918="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
for private_addr in $rfc1918
do
$fw_cmd add deny log ip from $private_addr to any via $outdev
$fw_cmd add deny log ip from any to $private_addr via $outdev
done
---- File continues --------
Here is the situation:
- In the logging, dropped packets appear to be sent/received by the
host on the home network and not by the ppp host (firewall box).
My idea of ip aliasing is that the "local address" gets translated
to that of the dialup device (dynamic, provided by ISP).
- To let the ip aliasing somehow do its work i have to allow traffic
from 192.168.1.0/24 in and out the outgoing device.
This does not seem to me to be a good way to do this, does anyone
know a better way?
Other questions and thoughts:
- Does the ip aliasing really work?
I have taken all steps about ip aliasing mentioned in the
PPP-pedantic-primer.
Although i turned on logging for aliasing nothing showed up in the
logs (not even with a working connection).
RFC1918 addresses are not routable on the internet, so if you can
browse the internet from the home network, it should work.
Still i am not confident about it. I have not found a good way to
test it except for setting up a dialup connection to my ISP, which
works.
- How does the ip aliasing mechanism of user ppp work?
I have searched the net, read the man pages, handbook, faq,
ppp-primer but not found a satisfactory answer. What i am
interested in is at what point the address translation happens.
This to get a better understanding about what ipfw rules to apply
in this particular situation.
- Can someone point me to some GOOD documentation on the net about how
to setup a dialup firewall/gateway using ipfw (and user ppp)?
I have searched the net, what i found so far was more confusing than
useful.
Thanks in advance for any information,
----------------------------------
Andre Goeree
E-Mail: abgoeree@uwnet.nl
----------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006122206.AAA18483>