building a routing machine

Fri Jul 18 01:00:33 PDT 2003

> Hi folks,
hi, man.

>
> I've enabled routed on both systems, (-s on the webserver, -q on the

it not necessary at all!

set your default router in rc.conf (ask your University admin about its IP)

you just look at "sysctl -a net.inet.ip.forwarding"
if it equals "0" then "sysctl -w net.inet.ip.forwarding=1"
(in rc.conf this variable is set by gateway_enable="YES")

then you need a natd
just "touch /etc/natd.conf" and edit it so that it contained something like

log yes
#log_denied yes
port 8668
use_sockets yes
same_ports yes
unregistered_only yes
alias_address ???.???.???.??? #your PUBLIC IP
###
#EOF
###

run natd "/sbin/natd -f /etc/natd.conf &"

edit /etc/rc.firewall to contain approximately the following

#!/bin/sh
/bin/echo -n "Firewall... "
#################### Flush All Chains And Pipes ########################
 /sbin/ipfw -q -f flush
 /sbin/ipfw -q -f pipe flush
#################### lo0 ###########################################
 /sbin/ipfw -q add 00001 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
#################### public #########################################
/sbin/ipfw -q add 00002 divert natd all from any to any in recv fxp0 #change
fxp0 to your NIC name
/sbin/ipfw -q add 00003 divert natd all from any to any out xmit fxp0
#change fxp0 to your NIC name
#################### Firewall (icmp) ###################################
# /sbin/ipfw -q add 65527 deny icmp from any to ${LocalNET}
# /sbin/ipfw -q add 65528 deny icmp from ${LocalNET} to any
 /sbin/ipfw -q add 65529 allow icmp from any to any
#################### Firewall Logging ###########################
 /sbin/ipfw -q add 65530 deny log all from any to any ipopt rr
 /sbin/ipfw -q add 65531 deny log all from any to any ipopt ts
 /sbin/ipfw -q add 65532 deny log all from any to any ipopt ssrr
 /sbin/ipfw -q add 65533 deny log all from any to any ipopt lsrr
 /sbin/ipfw -q add 65534 deny log all from any to any
############
echo " configured."
###

(this is a fragment of my ip.firewall which is too long to quote here...)

and execute the file (chmod 500 rc.firewall, you know, first... ;))

it should work. if not, ufff... than you will have to rebuild the FBSD
kernel with IPDIVERT, IPFIREWALL and things, and things, and things... and
repeat the said above...

I envy you if you're gonna do the kernel rebuid for the first time :) it's a
fascinating, absorbing and captivating procedure like playing chess with a
very strong chessplayer :)

see here
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-confi
g.html
and good luck!!!

--
Error Code=-1 Continue?
              Yes | No
--

> desktop) but that doesn't seem to be enough. I've read something about
> routing and gateways in the handbook, but I didn't quite get it. So can
> anyone help me out?
>
> Please CC me, I'm not (anymore) a user on this list. Thanks!
>
> --
> tcGB <>< Fi-Ji ><>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"