firewall
Bob Hall
rjhjr at cox.net
Wed Sep 17 11:29:24 PDT 2003
At this point, I'm a little confused. You said previously that
this would be the only machine that accessed the Internet via
PPP. Now you're setting it up as the gateway, which means that
other machines will be accessing the Internet via PPP on your
gateway.
To reiterate from an earlier post, you have three options:
1) This is not a gateway. You need PPP and a firewall.
2) This is a gateway. You need PPP, a firewall, and NAT
implemented via user PPP.
3) This is a gateway. You need PPP, a firewall, and NAT
implemented via the firewall.
Decide on an option, and tell us which you're going to
implement.
On Wed, Sep 17, 2003 at 05:23:25PM +0800, Robert Storey wrote:
> In the continuing saga of my firewall configuration...
>
> One kind member of this list suggested I must compile this into my
> kernel:
>
> options IPDIVERT
You need that only for option 3.
You also need
options IPFIREWALL
for any of the three options.
> So I did that, and it made a difference though it didn't solve the
> problem. Previously, whenever I started ppp, if I attempted to ping I
> would get this error message:
>
> bob at sonic:~> ping slashdot.org
> ping: cannot resolve slashdot.org: Host name lookup failure
>
> Now when I ping, I get no response - no error messages, but no other
> feedback. I think this is an improvement, but something is still
> preventing me from getting a response from ppp.
>
> To reiterate, this is everything I've done so far:
>
> FROM /etc/rc.conf:
>
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> firewall_type="simple"
> natd_enable="YES"
> natd_interface="ppp0"
>
> FROM /etc/rc.firewall:
>
> # set these to your outside interface network and netmask and ip
> oif="ppp0"
> onet="168.95.0.0"
> omask="255.255.255.255"
> oip="168.95.0.0"
oip = Outer IP address. 168.95.0.0 is not your oip. Once again,
the oip is found in the ppp0 section of the output from "ifconfig -a".
It changes every time you dial up.
> # set these to your inside interface network and netmask and ip
> iif="vr0"
> inet="192.168.0.0"
> imask="255.255.255.0"
> iip="192.168.0.2"
>
> Kernel recompile:
> options IPDIVERT
See above.
> CONTENT OF /etc/hosts:
> #
> ::1 localhost localhost.utopia.com
> 127.0.0.1 localhost localhost.utopia.com
> #
> 192.168.0.3 ibm.utopia.com ibm
> 192.168.0.2 sonic.utopia.com sonic
> 192.168.0.1 pro.utopia.com pro
I use local DNS, so I've never manually written anything in my
hosts file, but I think you need to add an address for DNS lookup.
It's possible that this is entered automatically when you dial up.
As I said, I don't do DNS this way, so I'm not sure how your setup
should work.
> I also used sysinstall to designate this machine as a gateway. Was that
> the right thing to do?
Tell us whether or not you've decided to use this machine as a gateway.
You can't proceed, and we can't help you, until you make that decision.
If you decide to use this machine as a gateway, then you have to decide
how you're going to implement NAT. Again, you can't proceed, and we can't
help you, until you decide. You have to pick one of the three options
listed at the top.
Bob Hall
More information about the freebsd-questions
mailing list