sharing a DSL connection using FreeBSD-5.3
Chris Hill
chris at monochrome.org
Sun Mar 13 19:52:04 PST 2005
On Mon, 14 Mar 2005, Edwin D. Vinas wrote:
> %ifconfig
> rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
> ether 00:11:95:26:4e:58
> media: Ethernet autoselect (10baseT/UTP)
> status: no carrier
> dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 210.125.155.126 netmask 0xffffff00 broadcast 210.125.155.255
[snip]
> according to some FreeBSD documentations, i need to configure my
> machine as a gateway and use NAT. others also say about using a
> firewall.
You don't HAVE to do any of these things, although since your subject
line says "sharing a DSL connection", NAT is sort of implied. Here is
what each thing does; decide for yourself if you need it.
- Making this machine a gateway means that your "inside" machines can
all connect through it, i.e. you'd set this machine's inside IP (the one
you'll configure for rl0) as their default router. In this scenario, the
inside machines may or may not have public routable IP addresses. If
they do, and you don't run a firewall, they are on their own for
security.
- NAT allows many "inside" machines to share one "outside" IP address,
so you can have Internet connectivity from all your machines even though
you only have one public IP address. NAT makes no sense unless your BSD
machine is also a gateway. But still, if you don't run a firewall, the
inside machines are on their own for security.
- A firewall is not required for functionality, but most people (myself
included) think it's a good idea. Ipfw, ipf and pf are all packet
filters - they allow you to configure what connections will be
permitted, based on IP address and port number among other criteria.
In any event, you will need configure rl0 for your internal address
space. Assuming NAT, i.e. you only have one public IP, you will need to
decide what your internal address space will be, and configure your
internal machines (and rl0 on the gateway!) accordingly. Per RFC1918,
your choices are
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
These are officially reserved address spaces that most upstream routers
will never send out to the public Internet. (see
http://www.faqs.org/rfcs/rfc1918.html)
> im concerned on the ease of maintaining the FreeBSD as a DSL
> router.
It's pretty straightforward. Set it up as you see fit, see if everything
you need to do works. If it doesn't, open up the necessary port(s) and
try again. If it were me, I'd set it up *for a limited time* with no
firewall, just to make sure the gateway works (i.e. I can connect from
an inside machine). Once that's established, I'd start dinking with the
firewall - start with all ports blocked, then open ports up one by one
until everything I need works.
> im also concerned on filtered ports or port forwarding which may block
> certain ports such as Yahoo messenger and online games. if i use
> FreeBSD+NAT+firewall, would Windows clients that runs on specific
> ports (i.e. YM and online games) still be able to work?
If you block those ports, they won't work. If you need these things to
work, and accept any security risks, open those ports on the firewall.
HTH.
--
Chris Hill chris at monochrome.org
** [ Busy Expunging <|> ]
More information about the freebsd-questions
mailing list