sharing a DSL connection using FreeBSD-5.3

Chris Hill chris at monochrome.org
Sun Mar 13 19:52:04 PST 2005 

On Mon, 14 Mar 2005, Edwin D. Vinas wrote:

> %ifconfig
> rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
>        ether 00:11:95:26:4e:58
>        media: Ethernet autoselect (10baseT/UTP)
>        status: no carrier
> dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        inet 210.125.155.126 netmask 0xffffff00 broadcast 210.125.155.255

[snip]

> according to some FreeBSD documentations, i need to configure my
> machine as a gateway and use NAT. others also say about using a
> firewall.

You don't HAVE to do any of these things, although since your subject 
line says "sharing a DSL connection", NAT is sort of implied. Here is 
what each thing does; decide for yourself if you need it.

  - Making this machine a gateway means that your "inside" machines can 
all connect through it, i.e. you'd set this machine's inside IP (the one 
you'll configure for rl0) as their default router. In this scenario, the 
inside machines may or may not have public routable IP addresses. If 
they do, and you don't run a firewall, they are on their own for 
security.

  - NAT allows many "inside" machines to share one "outside" IP address, 
so you can have Internet connectivity from all your machines even though 
you only have one public IP address. NAT makes no sense unless your BSD 
machine is also a gateway. But still, if you don't run a firewall, the 
inside machines are on their own for security.

  - A firewall is not required for functionality, but most people (myself 
included) think it's a good idea. Ipfw, ipf and pf are all packet 
filters - they allow you to configure what connections will be 
permitted, based on IP address and port number among other criteria.

In any event, you will need configure rl0 for your internal address 
space. Assuming NAT, i.e. you only have one public IP, you will need to 
decide what your internal address space will be, and configure your 
internal machines (and rl0 on the gateway!) accordingly. Per RFC1918, 
your choices are

      10.0.0.0        -   10.255.255.255  (10/8 prefix)
      172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
      192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

These are officially reserved address spaces that most upstream routers 
will never send out to the public Internet. (see 
http://www.faqs.org/rfcs/rfc1918.html)

> im concerned on the ease of maintaining the FreeBSD as a DSL
> router.

It's pretty straightforward. Set it up as you see fit, see if everything 
you need to do works. If it doesn't, open up the necessary port(s) and 
try again. If it were me, I'd set it up *for a limited time* with no 
firewall, just to make sure the gateway works (i.e. I can connect from 
an inside machine). Once that's established, I'd start dinking with the 
firewall - start with all ports blocked, then open ports up one by one 
until everything I need works.

> im also concerned on filtered ports or port forwarding which may block 
> certain ports such as Yahoo messenger and online games. if i use 
> FreeBSD+NAT+firewall, would Windows clients that runs on specific 
> ports (i.e. YM and online games) still be able to work?

If you block those ports, they won't work. If you need these things to 
work, and accept any security risks, open those ports on the firewall.

HTH.

--
Chris Hill               chris at monochrome.org
**                     [ Busy Expunging <|> ]

More information about the freebsd-questions mailing list