firewall

Bob Hall rjhjr at cox.net
Tue Sep 16 08:01:31 PDT 2003 

On Tue, Sep 16, 2003 at 06:17:13PM +0800, Robert Storey wrote:
> On Mon, 15 Sep 2003 18:56:07 -0400
> "Bob Hall" <rjhjr at cox.net> wrote:
> 
> > Another poster pointed out, and I seconded, that you need to set up 
> > NAT. There was no divert rule in your previous rule list, and you 
> > haven't mentioned setting up NAT, so I assume you still haven't done 
> > it. Without NAT, your gateway computer will be able to use PPP without
> > your previous firewall, but none of your other computers will be able 
> > to connect. 
> 
> Dear Bob,
> 
> Thanks. Acting on Scott's suggestion, I put this in /etc/rc.conf:
> 
> natd_enable="YES"
> natd_interface="ppp0"
> 
> However, I'm still left with the same problem - with the firewall
> enabled, ppp is blocked. Maybe I should clarify - it's the gateway
> machine that cannot access ppp. I'm not worried about the other machines
> on the network gaining access to ppp. Anyway, the internal network is OK
> even with the firewall enabled, but the firewall is definitely blocking
> my ppp connection.
> 
> If I were smarter, I could probably tweak the network settings in
> /etc/rc.firewall. But all I'm trying to do is use the "simple"
> configuration (which so far is not proving to be simple).
> 
> I'm pretty much out of ideas on this.

OK. I think I've figured out what you don't know.

Your firewall is configured to work with 192.168.0.xxx addresses. 
These are special addresses that should only be used inside your 
LAN. Anyone outside your LAN, including your ISP, should never see 
them. NAT (Network Address Translation) is used to convert your 
internal IP address to the address assigned by your ISP when you 
dial up. That is the IP address associated with your ppp0 device, 
which you see when you type "ifconfig -a". Without NAT, your 
firewall is allowing your 192.168.0.xxx addresses to access the 
internet, but they don't have an external connection. Your ppp0 
device, which does have an external connection, is being blocked 
because it doesn't have a 192.168.0.xxx address.

Everyone who responded to you has been assuming that your box with 
the dial up connection was a gateway; i.e. the gateway used by the 
other computers to access the Internet. If this is the case, then 
you need to set up NAT by one of two methods:
1) recompile the kernel with the following two options:
   	options         IPFIREWALL              #firewall
   	options         IPDIVERT                #divert sockets
   Then you need to add a "divert" rule to your firewall that translates 
   internal addresses to your external address.
2) If you are using user PPP, you do the same thing by using PPP's 
   built in NAT function.

If your box with the dial up connection is not a gateway (i.e. it is the 
only computer that will access the Internet), then use the CLIENT rule 
set, but use the external IP address, not the 192.168.0.xxx address.

Bob Hall

More information about the freebsd-questions mailing list