Date: Tue, 20 Oct 1998 08:14:16 -0400 From: "Stephen A. Derdau" <sderdau@ne.mediaone.net> To: Bryce Newall <data@dreamhaven.net> Cc: FreeBSD Questions List <freebsd-questions@FreeBSD.ORG> Subject: Re: More IPFW/natd trouble, but I'm close! Message-ID: <362C7E98.29C056DD@ne.mediaone.net> References: <Pine.NEB.3.96.981019221827.834A-100000@ds9.dreamhaven.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm new to this here is what I come up with. Take any adice from me with a grain of Salt :-) Your set up seems similar to mine. I can ping from my 10.0.0.0 network going via natd over to my FreeBSD cable dhcpclient connection. I also start natd via /rc.d However in my rc.conf file I've commented out the configuration of my cable access card and left say ed1 the localnetwork card to be configured in rc.con....something similar to ed_1="inet 10.0.0.3 subnetmask 255.255.255.0 " say .... my ed1 interface is not being reconfigured when it boots. I've looked at your firewall and mine is similar here are the exceptions. ipfw -f flush ipfw add divert natd all from any to any via ed0 ipfw add pass all from any to any Yours : Good LUCK !!!! Hope I helped. ipfw -f flush > ipfw add 1000 pass all from any to any via lo0 > ipfw add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 > ipfw add 65000 pass all from any to any > ipfw add divert natd all from any to any via vx0 > ipfw add pass all from any to any Bryce Newall wrote: > > Greetings! > > Thanks to everyone who helped me out so far with attempting to get some > sort of gateway setup going on my FreeBSD machine. I'm still running into > some difficulty, but I believe I'm getting close. Here's what I have so > far: > > * Two 3C590 ethernet cards in the box, vx0 and vx1. vx0 is the interface > to my cable modem (gets its IP via DHCP), and vx1 is the interface to the > local network (configured as IP 10.0.0.1). > > * vx1 is configured at boot-up; vx0 is configured by the DHCP client. > Side note: The @#%()^ ISC DHCP client resets vx1's IP to 0.0.0.0 when it > runs, even though I specifically tell it vx0, so I end up having to add an > additional ifconfig command to /etc/dhclient-script to put vx1's IP back > at 10.0.0.1. However, that's easy enough. > > * At boot-up, my "firewall" is configured by /etc/rc.firewall, set up for > an open firewall, so the following commands get executed: > > ipfw -f flush > ipfw add 1000 pass all from any to any via lo0 > ipfw add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 > ipfw add 65000 pass all from any to any > ipfw add divert natd all from any to any via vx0 > ipfw add pass all from any to any > > The 2nd and 3rd lines were in /etc/rc.firewall already, and it said that I > shouldn't change 'em, so I didn't. The last two were added per > instructions from the natd man page. I'm assuming vx0 is the correct > interface, although I did also try it with vx1. My "firewall" here isn't > much of a firewall; I just wanted to get it *working* at all before I > started mucking with more strict firewall rules. > > * Finally, also at boot-up, /etc/rc.local runs natd with the following > command line: > > /usr/sbin/natd -dynamic -interface vx0 > > The problem I'm looking at right now is that from another machine on my > local network, configured as 10.0.0.2, can talk to my FreeBSD machine > using the IP 10.0.0.1, but can't ping any outside hosts, which tells me > I haven't properly configured the FreeBSD machine to pass packets to and > from the outside world. I have compiled IPFIREWALL and IPDIVERT into my > kernel, and have set firewall_enable to YES, firewall_type to OPEN, and > gateway_enable to YES in /etc/rc.conf. I'm still new at this, and haven't > been able to figure out what I'm doing wrong. Does anyone have any > suggestions? > > Also, on a related note (after this problem gets fixed, of course)... I > run a TetriNet server on my NT machine, which I want to keep behind the > "firewall". Right now, the NT machine is still set up to use DHCP to get > an IP address directly from my cable modem provider, and I have a CNAME > set up in my DNS to point tetrinet.dreamhaven.org to the machine's "real" > name, defiant.dreamhaven.org. Would there possibly be a way to set the > CNAME to ds9.dreamhaven.org (the FreeBSD machine), and have natd direct > any packets destined for that hostname over to defiant on the local > network as 10.0.0.2 (i.e. not having defiant have a cable-ISP-provided > IP)? > > Thanks once again in advance to the many gurus here! :) > > ********************************************************************** > * Bryce Newall * Email: data@dreamhaven.net * > * WWW: http://home.dreamhaven.net/~data * > * "Insanity takes its toll. Please have exact change." * > ********************************************************************** > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- When you find out the answer it's always something you thought you knew :-) Answers here http://www.freeBSD.org/search Happily Running! FreeBSD 2.2.7-STABLE #0: Fri Oct 9 19:54:29 EDT 1998 sderdau@SDERDAU.ne.mediaone.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?362C7E98.29C056DD>