Setting a simple firewall for PPPoE connection
Paul Dufresne
dufresnep at fastmail.fm
Sun Jun 12 04:43:16 GMT 2005
On Thu, 9 Jun 2005 18:22:45 +0200 (CEST), "P.U.Kruppa"
<root at pukruppa.de> said:
> On Thu, 9 Jun 2005, dk dkrules wrote:
>
> > I am very dissappointed. I have been looking on the net for 3 days now
> > looking for easy setup guides or How to guides and setting up FreeBSD 5.x
> > with transparent proxy and firewall and there simply is no easy way
> > explaining to beginners how to do such a setup.
> 1) Before you start playing around with squid and firewall you
> have to make sure your FreeBSD box works as a gateway.
> 2) When this is done look into google for setup of squid as a
> transparent proxy (these are two or three entries in a config
> file).
> 3) enable firewall in /etc/rc.conf with lines like
> firewall_enable="YES"
> firewall_script="/etc/firewall.conf"
> 4) edit your /etc/firewall.conf with something like
>
> ipfw add 500 fwd 127.0.0.1 tcp from any to any 80 recv rl0
> ipfw add 60000 allow all from any to any
>
> where rl0 is the device name of your NIC.
> 5) reboot
Well, I feel a bit like the original poster.
I had in mind of activating a firewall for my PPPoE connection
a bit like it is easy to do on Windows XP.
So I began reading the handbook and found that there is mainly
3 different firewalls, and this put me with the problem of choosing
one. IPFW seems to have default rules that would at first glance
make it easy (would choose client setup for me). But then reading
through /etc/rc.firewall I concluded that I had to set my IP address
in it. But my ISP set it dynamically with PPPoE, so I did not know
what to do next.
So I thought that reading the ppp man page (yes, I use userland
ppp program, but I think that there is a pppoed somewhere that
I maybe should use instead), there is some kind of firewall rules
that can be set inside ppp.conf. But I did not convince myself
that it would help me with the fact that my IP address is dynamic.
Now, maybe I can use 127.0.0.1 like you did in step 4 above, but
I don't really understand these rules yet. It looks like to me the
first one accept HTTP traffic (port 80) and that the second one
accept every traffic. I would have expected that the second one
would refuse every traffic, leaving only traffic from the first
rule to go through.
But the main question is: "How to deal with dynamic IP
address when writing firewall rules?"
--
http://www.fastmail.fm - Accessible with your email software
or over the web
More information about the freebsd-questions
mailing list