building a routing machine
Vitali Malicky
life at zone3000.net
Fri Jul 18 01:00:33 PDT 2003
> Hi folks,
hi, man.
>
> I've enabled routed on both systems, (-s on the webserver, -q on the
it not necessary at all!
set your default router in rc.conf (ask your University admin about its IP)
you just look at "sysctl -a net.inet.ip.forwarding"
if it equals "0" then "sysctl -w net.inet.ip.forwarding=1"
(in rc.conf this variable is set by gateway_enable="YES")
then you need a natd
just "touch /etc/natd.conf" and edit it so that it contained something like
log yes
#log_denied yes
port 8668
use_sockets yes
same_ports yes
unregistered_only yes
alias_address ???.???.???.??? #your PUBLIC IP
###
#EOF
###
run natd "/sbin/natd -f /etc/natd.conf &"
edit /etc/rc.firewall to contain approximately the following
#!/bin/sh
/bin/echo -n "Firewall... "
#################### Flush All Chains And Pipes ########################
/sbin/ipfw -q -f flush
/sbin/ipfw -q -f pipe flush
#################### lo0 ###########################################
/sbin/ipfw -q add 00001 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
#################### public #########################################
/sbin/ipfw -q add 00002 divert natd all from any to any in recv fxp0 #change
fxp0 to your NIC name
/sbin/ipfw -q add 00003 divert natd all from any to any out xmit fxp0
#change fxp0 to your NIC name
#################### Firewall (icmp) ###################################
# /sbin/ipfw -q add 65527 deny icmp from any to ${LocalNET}
# /sbin/ipfw -q add 65528 deny icmp from ${LocalNET} to any
/sbin/ipfw -q add 65529 allow icmp from any to any
#################### Firewall Logging ###########################
/sbin/ipfw -q add 65530 deny log all from any to any ipopt rr
/sbin/ipfw -q add 65531 deny log all from any to any ipopt ts
/sbin/ipfw -q add 65532 deny log all from any to any ipopt ssrr
/sbin/ipfw -q add 65533 deny log all from any to any ipopt lsrr
/sbin/ipfw -q add 65534 deny log all from any to any
############
echo " configured."
###
(this is a fragment of my ip.firewall which is too long to quote here...)
and execute the file (chmod 500 rc.firewall, you know, first... ;))
it should work. if not, ufff... than you will have to rebuild the FBSD
kernel with IPDIVERT, IPFIREWALL and things, and things, and things... and
repeat the said above...
I envy you if you're gonna do the kernel rebuid for the first time :) it's a
fascinating, absorbing and captivating procedure like playing chess with a
very strong chessplayer :)
see here
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-confi
g.html
and good luck!!!
--
Error Code=-1 Continue?
Yes | No
--
> desktop) but that doesn't seem to be enough. I've read something about
> routing and gateways in the handbook, but I didn't quite get it. So can
> anyone help me out?
>
> Please CC me, I'm not (anymore) a user on this list. Thanks!
>
> --
> tcGB <>< Fi-Ji ><>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list