Need Guidance in my Internet Connection Sharing configuration

Benjamin Sobotta mayday at gmx.net
Mon Jan 10 17:13:20 PST 2005


Hello

To make sure I understand, you can reach the internet from your router?
So it is really a routing problem, right?
The interface connected to the modem is bge0? aue0 is connected to your
internal network?! Your internal machines can ping the router??
If everything is so then try 

natd_interface="bge0"

instead of what you have. Actually I'm not sure at all because I'm not
on my machine. Anyways, might be worth a shot. Ohh and don't forget to
reboot after you did the changes. If this doesn't work I would try
everything without all those firewall rules. Start out easy and when it
works you can still add rule after rule. Always try pinging IPs because
DNS might not work right away.

HTH,

Ben

On Tue, 2005-01-11 at 08:37 +0000, Srot BULL wrote:
> Hello and Good Day to all,
> 
> I have tried to configure my system for Internet Connection Sharing but
> I could not implement the configuration properly.  I am afraid that this
> is all my mind can figure out.  Please look through below and I would 
> appreciate if you could point out the mistakes that I have done or point
> me to any links that would help me help solve this problem.
> 
> 
> uname -a
> FreeBSD r40e.point.ne.jp 5.3-STABLE FreeBSD 5.3-STABLE #1: Mon Jan 10
> 12:49:58
> UTC 2005     root at r40e.point.ne.jp:/usr/obj/usr/src/sys/R40e  i386
> 
> Kernel Configuration File:
> #===--- IPFIREWALL OPTIONS ---===#
> options         IPFIREWALL
> options         IPFIREWALL_VERBOSE
> options         IPFIREWALL_VERBOSE_LIMIT=5
> options         IPFIREWALL_DEFAULT_TO_ACCEPT
> #=- Enables NAT Functionality -=#
> options         IPDIVERT
> 
> /etc/rc.conf
> hostname="r40e.point.ne.jp"
> #** OutBound Interface **#
> ifconfig_bge0="DHCP"
> #** Internal LAN Interface **#
> ifconfig_aue0="inet 10.20.30.1 netmask 255.0.0.0"
> gateway_enable="YES"
> natd_enable="YES"
> natd_interface="aue0"
> natd_flags="-dynamic -m"
> firewall_enable="YES"
> firewall_script="/etc/ipfw.rulesets"
> firewall_type="OPEN"
> firewall_quiet="YES"
> firewall_logging_enable="YES"
> 
> This is my /etc/ipfw.rulesets:
> --------------------------------------------------------------------------
> #!/bin/sh
> 
> ipfw -q -f flush
> CMD="ipfw -q add"
> SKIP="skipto 00800"
> KS="keep-state"
> INIC="bge0"
> 
> $CMD 00005 allow all from any to any via aue0
> $CMD 00010 allow all from any to any via lo0
> $CMD 00014 divert natd ip from any to any in via $INIC
> $CMD 00015 check-state
> 
> $CMD 00020 $SKIP tcp from any to 192.168.0.1 53 out via $INIC setup $KS
> $CMD 00021 $SKIP udp from any to 192.168.0.1 53 out via $INIC $KS
> $CMD 00030 $SKIP udp from any to 192.168.0.1 67 out via $INIC $KS
> $CMD 00040 $SKIP tcp from any to any 80 out via $INIC setup $KS
> $CMD 00050 $SKIP tcp from any to any 443 out via $INIC setup $KS
> $CMD 00060 $SKIP tcp from any to any 25 out via $INIC setup $KS
> $CMD 00061 $SKIP tcp from any to any 110 out via $INIC setup $KS
> $CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root
> $CMD 00080 $SKIP icmp from any to any out via $INIC $KS
> $CMD 00090 $SKIP tcp from any to any 37 out via $INIC setup $KS
> $CMD 00100 $SKIP tcp from any to any 119 out via $INIC setup $KS
> $CMD 00110 $SKIP tcp from any to any 22 out via $INIC setup $KS
> $CMD 00120 $SKIP tcp from any to any 43 out via $INIC setup $KS
> $CMD 00130 $SKIP udp from any to any 123 out via $INIC $KS
> 
> $CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC
> $CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC
> $CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC
> $CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC
> $CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC
> $CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC
> $CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC
> $CMD 00307 deny all from 204.152.64.0/23 to any in via $INIC
> $CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC
> #$CMD 00310 deny icmp from any to any in via $INIC
> $CMD 00315 deny tcp from any to any 113 in via $INIC
> $CMD 00320 deny tcp from any to any 137 in via $INIC
> $CMD 00321 deny tcp from any to any 138 in via $INIC
> $CMD 00322 deny tcp from any to any 139 in via $INIC
> $CMD 00323 deny tcp from any to any 81 in via $INIC
> $CMD 00330 deny all from any to any frag in via $INIC
> $CMD 00332 deny tcp from any to any established in via $INIC
> 
> $CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS
> #$CMD 00370 allow tcp from any to me 80 in via $INIC setup limit
> src-addr 2
> #$CMD 00380 allow tcp from any to me 22 in via $INIC setup limit
> src-addr 2
> #$CMD 00390 allow tcp from any to me 23 in via $INIC setup limit
> src-addr 2
> $CMD 00400 deny log all from any to any in via $INIC
> $CMD 00450 deny log all from any to any out via $INIC
> $CMD 00800 divert natd ip from any to any out via $INIC
> $CMD 00801 allow ip from any to any
> $CMD 00999 deny log all from any to any
> ----------------------------------------------------------------------------
> 
> The problem with the above configuration is I do not get connected to my
> ADSL Modem and no internet connection at all. "netstat -r" shows
> nothing...
> Are the configuration enough for me to configure my system for Internet
> Connection Sharing or do I have to tweak other settings?
> I would really appreciate any help, hints, or advices...
> Thank you in advance...
> 
> By the way, since this is my first try in Internet Connection
> Sharing...I am not that sure with my cable connections...
> My internal LAN Card "bge0" is connected to my ADSL Modem while my other
> externel USB LAN Card "aue0" is connected to my switching hub...and the
> other PC that I have is also connected to the hub...Is this O.K.?
> 
> Srot BULL
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> 
-- 
Benjamin Sobotta <mayday at gmx.net>



More information about the freebsd-questions mailing list