Date: Mon, 8 Oct 2001 18:59:58 -0700 From: "Drew Tomlinson" <drew@mykitchentable.net> To: <questions@freebsd.org> Subject: Firewall Concepts Message-ID: <002001c15066$19bd7ee0$030aa8c0@bigdaddy>
next in thread | raw e-mail | index | archive | help
I have an ADSL connection for my home LAN. I'm using a 3Com
OfficeConnect 812 router that I purchased from the local telco. The
router has 4 LAN ports and 1 WAN port. Originally it was configured
as a router running NAT and has worked fine but provides little to no
logging of packets sent to it. Thus, I decided to try and configure
the 3Com 812 to send everything to a FBSD 4.4 box with 2 nics and run
the firewall on FBSD.
The FBSD box is configured as a wide open firewall for testing as you
can see by the first two lines. Here's the output from ipfw show:
00050 1029 75770 divert 8668 ip from any to any via ed1
00060 1637 159293 allow ip from any to any
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 allow ip from any to any via ed0
00501 0 0 check-state
00502 0 0 deny tcp from any to any in established
00503 0 0 allow tcp from any to any keep-state out setup
65500 0 0 deny ip from any to any
65535 0 0 allow ip from any to any
Also, I'm running natd, and have gateway enabled in my rc.conf. Here
are the relevant lines:
# I'm not sure what this should be set to
defaultrouter="192.168.10.1"
ifconfig_ed0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_ed1="inet 192.168.10.2 netmask 255.255.255.0"
gateway_enable="YES"
natd_enable="YES"
natd_interface="ed1"
natd_flags="-log"
firewall_enable="YES"
firewall_type="/etc/ipfw.rules"
firewall_logging="YES"
log_in_vain="YES"
This is my network layout:
ISP
|
| IP is DHCP
|
3Com 812
|
|192.168.1.1
|
----------------- IPs 192.168.1.x
| | | |
Box 1 2 3 4
This is what I am trying to do:
ISP
|
| IP is DHCP
|
3Com 812
|192.168.10.1
|
|192.168.10.2
FBSD 4.4 Box
|
|192.168.1.2
|
----------------- IPs 192.168.1.x
| | | | Gateway 192.168.1.2
Box 1 2 3 4
So my first thought was to configure the 812 as a bridge because as I
understand it, a bridge just passes packets from one side to the
other. But this doesn't seem to work at all, probably because the
public interface on the FBSD router doesn't have a "real" address. I
tried setting the public interface for DHCP but it never received a
lease.
Next I configured my 812 back to a router but could not get out to the
Internet unless I enabled NAT on the 812. When I did that, I had
Internet access from all of my boxes but was back to my 812 doing the
routing and NAT so I didn't gain anything.
So I guess what I'm asking is which direction to pursue. All I really
want is my 812 router to take *everything* it gets and pass it to
192.168.10.2 so that the FBSD firewall can take care of it. Am I
barking up the wrong tree? Any suggestions?
Another approach that might work is to configure the 812 router for
NAT and then set the default workstation address to the FBSD box. If
this is a reasonable thing to try, would I remove natd and replace it
with routed?
Any suggestions or advice will be greatly appreciated. I'd really
like to learn this stuff and *understand* what it is that I'm doing.
Thanks,
Drew
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002001c15066$19bd7ee0$030aa8c0>