ppp_mode and ipfw
Michael C. Shultz
reso3w83 at verizon.net
Mon Feb 14 16:43:04 GMT 2005
On Monday 14 February 2005 05:50 am, Hiram Abiff wrote:
> Hi!
>
> I've been trying to set up ipfw on my FreeBSD box
> which I use as a gateway to the Internet on my LAN.
>
> I compiled the kernel with options IPFIREWALL and IPDIVERT,
> edited rc.conf and some other files.
>
> Now I have 2 problems:
>
> 1.) Each time FreeBSD boots ppp automatically establishes
> a connection via ISDN. I do not want it to do that, I want
> the connection to be established when some of the other
> 2 boxes I have on my LAN run software that demands an
> internet connection.
>
> For Example, if I run firefox on my linux box, i want
> the FreeBSD box to receive the linux boxes request
> for a connection and dial my ISP via ISDN.
>
> In rc.conf I set ppp_mode="auto" because in ppp's man
> page it says that this is the correct mode for
> on-demand connection.
>
> 2.) Although I set up my firewall rules I cannot acces
> anything on the outside net anymore, and my other
> 2 boxes can't acces the Internet after setting aup the
> firewall. Also I cannot acces the squid proxy I set up
> on my FreeBSD box anymore. All of this was working
> before I set up the firewall. What am I doing wrong?
> Why can't I access the net outside my home LAN and
> why doesn't squid work anymore?
>
> Here's my firewall rule file:
>
> fwcmd="/sbin/ipfw"
>
>
> #Outside interface
> oif="tun0"
>
>
> #Inside interface
> iif="rl0"
>
>
> # Force a flushing of the current rules before reload
> $fwcmd -f flush
>
>
> #Check the state of all packets
> $fwcmd add check-state
>
>
> #Divert all packets through the tunnel interface.
> $fwcmd add divert natd all from any to any via oif
You should only be NAT'ing inbound packets here,
also the "$" is missing in oif:
$fwcmd add divert natd ip from any to any in via $oif
>
>
> # Allow all data from my network card and localhost
> $fwcmd add allow all from any to any via lo0
> $fwcmd add allow ip from any to any via $ii0
>
Is $ii0 a typo? you have iif="rl0" defined as your private NIC
did you mean to have:
$fwcmd add allow ip from any to any via $iif???
I see the same sort of errors in the rest, look it over carefully.
-Mike
>
> # Allow all connections that I initiate
> $fwcmd add allow tcp from any to any out xmit oif setup
>
>
> # Once connections are made, allow them to stay open
> $fwcmd add allow tcp from any to any via oif established
>
>
> # Everyone on the internet is allowed to connect
> $fwcmd add allow tcp from any to any 22 setup
> $fwcmd add allow tcp from any to any 21 setup
> $fwcmd add allow tcp from any to any 8080 setup
> $fwcmd add allow tcp from any to any 53 setup
> $fwcmd add allow tcp from any to any 4662 setup
> $fwcmd add allow udp from any to any 4672 setup
>
>
> # This sends a RESET to all ident packets
> $fwcmd add reset log tcp from any to any 113 in recv oif
>
>
> # Allow outgoing DNS queries ONLY to the specified servers
>
>
> $fwcmd add allow udp from any to 161.53.114.135 53 out xmit tun0
> $fwcmd add allow udp from any to 161.53.114.145 53 out xmit tun0
>
>
> # Allow them back in with the answers
>
>
> $fwcmd add allow udp from 161.53.114.135 53 to any in recv oif
> $fwcmd add allow udp from 161.53.114.145 53 to any in recv oif
>
>
> # Allow ICMP
> $fwcmd add 65435 allow icmp from any to any
>
>
> # Deny all the rest.
> #$fwcmd add 65435 deny log ip from any to any
>
>
>
> --
> "It was as though a veil had been rent. I saw on that ivory face
> the expression of sombre pride, of ruthless power,
> of craven terror -- of an intense and hopeless despair.
> Did he live his life again in every detail of desire,
> temptation, and surrender during that supreme moment
> of complete knowledge?"
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list