Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Feb 2005 14:50:01 +0100
From:      Hiram Abiff <domain.admin@online.ie>
To:        freebsd-questions@freebsd.org
Subject:   ppp_mode and ipfw
Message-ID:  <1108389001.4210ac89766a6@mail.online.ie>

next in thread | raw e-mail | index | archive | help
Hi!

I've been trying to set up ipfw on my FreeBSD box
which I use as a gateway to the Internet on my LAN.

I compiled the kernel with options IPFIREWALL and IPDIVERT,
edited rc.conf and some other files.

Now I have 2 problems:

1.) Each time FreeBSD boots ppp automatically establishes
a connection via ISDN. I do not want it to do that, I want
the connection to be established when some of the other
2 boxes I have on my LAN run software that demands an
internet connection.

For Example, if I run firefox on my linux box, i want
the FreeBSD box to receive the linux boxes request
for a connection and dial my ISP via ISDN.

In rc.conf I set ppp_mode="auto" because in ppp's man
page it says that this is the correct mode for
on-demand connection.

2.) Although I set up my firewall rules I cannot acces
anything on the outside net anymore, and my other
2 boxes can't acces the Internet after setting aup the
firewall. Also I cannot acces the squid proxy I set up
on my FreeBSD box anymore. All of this was working
before I set up the firewall. What am I doing wrong?
Why can't I access the net outside my home LAN and
why doesn't squid work anymore?

Here's my firewall rule file:

fwcmd="/sbin/ipfw"


#Outside interface
oif="tun0"


#Inside interface
iif="rl0"


# Force a flushing of the current rules before reload
$fwcmd -f flush


#Check the state of all packets
$fwcmd add check-state


#Divert all packets through the tunnel interface.
$fwcmd add divert natd all from any to any via oif


# Allow all data from my network card and localhost
$fwcmd add allow all from any to any via lo0
$fwcmd add allow ip from any to any via $ii0


# Allow all connections that I initiate
$fwcmd add allow tcp from any to any out xmit oif setup


# Once connections are made, allow them to stay open
$fwcmd add allow tcp from any to any via oif established


# Everyone on the internet is allowed to connect
$fwcmd add allow tcp from any to any 22 setup
$fwcmd add allow tcp from any to any 21 setup
$fwcmd add allow tcp from any to any 8080 setup
$fwcmd add allow tcp from any to any 53 setup
$fwcmd add allow tcp from any to any 4662 setup
$fwcmd add allow udp from any to any 4672 setup


# This sends a RESET to all ident packets
$fwcmd add reset log tcp from any to any 113 in recv oif


# Allow outgoing DNS queries ONLY to the specified servers


$fwcmd add allow udp from any to 161.53.114.135 53 out xmit tun0
$fwcmd add allow udp from any to 161.53.114.145 53 out xmit tun0


# Allow them back in with the answers


$fwcmd add allow udp from 161.53.114.135 53 to any in recv oif
$fwcmd add allow udp from 161.53.114.145 53 to any in recv oif


# Allow ICMP
$fwcmd add 65435 allow icmp from any to any


# Deny all the rest.
#$fwcmd add 65435 deny log ip from any to any



--
"It was as though a veil had been rent. I saw on that ivory face
the expression of sombre pride, of ruthless power,
of craven terror -- of an intense and hopeless despair.
Did he live his life again in every detail of desire,
temptation, and surrender during that supreme moment
of complete knowledge?"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1108389001.4210ac89766a6>