DSL LAN Sharing with FreeBSD-5.3+natd+ipfw

Edwin D. Vinas xmisoy at gmail.com
Wed Mar 16 19:15:27 PST 2005 

hi,

how do i permanently set the rules for ipfw? whenever i restart my
FreeBSD server which has natd & firewall enabled, the ipfw returns to
default which is "65535 151 14646 deny ip from any to any". so i need
to repeat "ipfw -f flush" and execute the commands below so that my
LAN can access the Internet.

simple ruleset that must appear when "ipfw show" is executed:
00100  28  2096 divert 8668 ip from any to any via dc0
00200  37  3147 allow ip from any to any
65535 151 14646 deny ip from any to any

do u have an ideal ipfw rules that i can follow for a setup which
consists of a FreeBSD-5.3, natd, firewall, and DSL (static IP)
connection? i just need to as much as possible prevent my LAN from
attacks/virus/worms from outside world.

-edwin

--
--
Edwin D. Viñas
http://www.geocities.com/edwin_vinas/
IN THE WORLD OF SCIENCE,
NOTHING IS IMPOSSIBLE.
--
-------------- next part --------------
#--March 16, 2005
- users: misoy/edv; root/mfr
- installed snmp(comstring edvgrfr)
- installed MRTG (/usr/local/etc/mrtg)
- installed firefox (so long to install via ports)
- IP addresses:
rl0 192.168.0.1
dc0 203.215.106.226
- reconfigured Kernel (KERNEDV) foir natd and firewall
- Natd/fIREWALL

problem:
- cannot ping "denied", ipfw disable firewall
- natd -interface dc0
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via dc0
/sbin/ipfw add pass all from any to any

Current Configs:
@RC.CONF
# -- sysinstall generated deltas -- # Thu Mar 17 05:38:59 2005
# Created: Thu Mar 17 05:38:59 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.0.1"
gateway_enable="YES"
hostname="elive_server.elive.com"
ifconfig_rl0="inet 192.168.0.1  netmask 255.255.255.0"
inetd_enable="NO"
linux_enable="YES"
moused_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
# added for natd and firewall
firewall_enable="YES"
natd_enable="YES"
natd_interface="dc0"
natd_flags="-f /etc/natd.conf"

# This file now contains just the overrides from /etc/defaults/rc.conf.
# Please make all changes to this file, not to /etc/defaults/rc.conf.

# Enable network daemons for user convenience.
# Created: Wed Mar 16 22:01:13 2005
# -- sysinstall generated deltas -- # Wed Mar 16 22:01:13 2005
ifconfig_dc0="inet 203.215.106.226  netmask 255.255.255.0"
defaultrouter="203.215.106.1"
hostname="elive_server.elive.com"

@natd.conf
interface dc0
use_sockets yes
same_ports yes

@ipfw show
00100  28  2096 divert 8668 ip from any to any via dc0
00200  37  3147 allow ip from any to any
65535 151 14646 deny ip from any to any

= can ping from server internet and LAN ip

- lan PC can ping server NIC1 and NIC2, but cant ping Internet

WORKING SCENARIO:
- Restart/Turn on machine.
- check if natd is running with correct interface
- check if ipfw contains same rules as above (chek interface)

More information about the freebsd-questions mailing list