Port Forwarding
James Earl
jearl at telus.net
Thu Jan 22 10:24:28 PST 2004
If the variables for the 'SIMPLE' rules are setup properly, 'SIMPLE'
should be no different than using 'OPEN' from your win2k's perspective.
This is assuming you don't have a broken rc.firewall file.
Looking at your original post, your sample was missing the 'onet'
variable.
# set these to your outside interface network and netmask and ip
oif="rl0"
onet="???.???.???.???"
omask="255.255.255.0" <-- make sure this is right!!!
oip="me"
# set these to your inside interface network and netmask and ip
iif="rl1"
inet="192.168.0.1"
imask="255.255.255.0"
iip="192.168.0.1"
Also, you shouldn't be using IPFIREWALL_DEFAULT_TO_ACCEPT in your kernel
configuration. I use:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPDIVERT
Also see IPFIREWALL_VERBOSE_LIMIT in the firewall section of the
Handbook.
IPFIREWALL_VERBOSE allows you to get helpfull information in
/var/log/security. If you are having troubles with connectivity, look
in /var/log/security to see if it shows what's being blocked and by what
rule.
Hope this helps.
James
On Thu, 2004-01-22 at 04:54, Rishi Chopra wrote:
> James,
>
> I've configured my Win2k box to contact DNS directly, and both Direct
> Connect and VNC Server are running smoothly (port forwarding is being
> accomplished (per your suggestion) by natd.conf).
>
> I've set the firewall type to 'OPEN' (the Win2k client has ZoneAlarm
> protection of its own); this is truly the only sticking point. I'm
> under the impression that selecting 'SIMPLE' rather than 'OPEN' provides
> an additional layer of protection to the gateway by preventing certain
> spoofing attacks. Unfortunately, I seem unable to switch the firewall
> type without crippling my Win2k box's functionality. Perhaps I'll give
> it a go again sometime in the future.
>
>
> Here's a copy of the relevant files:
>
> //natd.conf
>
> unregistered_only
> interface rl0
> use_sockets
> dynamic
> redirect_port tcp 192.168.0.2:5800 5800
> redirect_port tcp 192.168.0.2:5900 5900
> redirect_port tcp 192.168.0.2:412 412
> redirect_port tcp 192.168.0.2:1412 1412
> punch_fw 2000:50
>
> //rc.conf
>
> gateway_enable="YES"
> hostname="usha.dyndns.org"
> ifconfig_rl0="DHCP"
> ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0"
> kern_securelevel_enable="NO"
> firewall_enable="YES"
> firewall_type="OPEN"
> # firewall_type="SIMPLE"
> firewall_quiet="NO"
> natd_enable="YES"
> natd_interface="rl0"
> natd_flags="-f /etc/natd.conf"
> linux_enable="YES"
> sendmail_enable="NO"
> sshd_enable="YES"
>
> -R
More information about the freebsd-questions
mailing list