firewall

Bob Hall rjhjr at cox.net
Wed Sep 17 11:29:24 PDT 2003 

At this point, I'm a little confused. You said previously that 
this would be the only machine that accessed the Internet via 
PPP. Now you're setting it up as the gateway, which means that 
other machines will be accessing the Internet via PPP on your 
gateway.

To reiterate from an earlier post, you have three options:
1) This is not a gateway. You need PPP and a firewall.

2) This is a gateway. You need PPP, a firewall, and NAT 
implemented via user PPP.

3) This is a gateway. You need PPP, a firewall, and NAT 
implemented via the firewall. 

Decide on an option, and tell us which you're going to 
implement.

On Wed, Sep 17, 2003 at 05:23:25PM +0800, Robert Storey wrote:
> In the continuing saga of my firewall configuration...
> 
> One kind member of this list suggested I must compile this into my
> kernel:
> 
>     options IPDIVERT

You need that only for option 3.

You also need 
	options         IPFIREWALL
for any of the three options.

> So I did that, and it made a difference though it didn't solve the
> problem. Previously, whenever I started ppp, if I attempted to ping I
> would get this error message:
> 
> bob at sonic:~> ping slashdot.org
>  ping: cannot resolve slashdot.org: Host name lookup failure
> 
> Now when I ping, I get no response - no error messages, but no other
> feedback. I think this is an improvement, but something is still
> preventing me from getting a response from ppp.
> 
> To reiterate, this is everything I've done so far:
> 
> FROM /etc/rc.conf:
> 
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> firewall_type="simple"
> natd_enable="YES"
> natd_interface="ppp0"
> 
> FROM /etc/rc.firewall:
> 
> # set these to your outside interface network and netmask and ip
> oif="ppp0"
> onet="168.95.0.0"
> omask="255.255.255.255"
> oip="168.95.0.0"

oip = Outer IP address. 168.95.0.0 is not your oip. Once again, 
the oip is found in the ppp0 section of the output from "ifconfig -a".
It changes every time you dial up.
 
> # set these to your inside interface network and netmask and ip
> iif="vr0"
> inet="192.168.0.0"
> imask="255.255.255.0"
> iip="192.168.0.2"
> 
> Kernel recompile:
>     options IPDIVERT

See above.
 
> CONTENT OF /etc/hosts:
> #
> ::1			localhost localhost.utopia.com
> 127.0.0.1		localhost localhost.utopia.com
> #
> 192.168.0.3	ibm.utopia.com	ibm
> 192.168.0.2	sonic.utopia.com	sonic
> 192.168.0.1	pro.utopia.com	pro

I use local DNS, so I've never manually written anything in my 
hosts file, but I think you need to add an address for DNS lookup. 
It's possible that this is entered automatically when you dial up. 
As I said, I don't do DNS this way, so I'm not sure how your setup 
should work.
 
> I also used sysinstall to designate this machine as a gateway. Was that
> the right thing to do?

Tell us whether or not you've decided to use this machine as a gateway.
You can't proceed, and we can't help you, until you make that decision.

If you decide to use this machine as a gateway, then you have to decide 
how you're going to implement NAT. Again, you can't proceed, and we can't 
help you, until you decide. You have to pick one of the three options 
listed at the top.

Bob Hall

More information about the freebsd-questions mailing list