Setting up a FreeBSD gateway (more detail) and IPFW
Brian Bobowski
bbobowski at gmail.com
Sun Jan 8 21:14:49 PST 2006
Thanks to those who replied to my previous call for help. Now I think
it's time I actually provide some relevant detail.
I've got two computers - one is my workstation, one is my server /
gateway-to-be. My outside connection is via a hub to a cable modem;
currently I have my workstation rigged directly to it with no problems.
I'll go over what I've done so far, and hope that if I've made a glaring
error someone will be able to point it out.
- I have two NICs: ed0 and rl0. ed0 will be connected to my workstation,
rl0 to the hub and thence the Internet.
- I've configured a custom kernel per the directions in the handbook on
NAT - that is, IPFIREWALL and IPDIVERT are in there.
- I have the various options set in rc.conf, with natd_interface="rl0".
- To set up the NICs, I have ifconfig_ed0="192.168.0.1" and
ifconfig_rl0="DHCP". I'll set my workstation to use 192.168.0.2 if I can
figure out why it's locking my NIC / IP settings(that's a WinXP issue).
- In my named.conf, under forwarders, I set one of my ISP's DNS servers.
(Is it possible, and if so, beneficial, to put more than one entry
there? My ISP gives me four.) I'm only running a caching DNS, so I
otherwise left named.conf alone.
- I've run the make-localhost script in /etc/namedb.
- I've put named_enable="YES" in rc.conf as well.
Ideally, I'd like to be able to leave my workstation's network settings
alone, and set up DHCP; however, a look over the ports suggests that's
far more trouble than it's worth for a single client that doesn't really
need such flexibility.
I don't have any servers running on my workstation, so I've no need to
allow traffic from the 'net to get through the firewall to the
LAN(servers on the gateway itself are another matter). However, the
firewall is still my biggest challenge.
To get set up and running, since I don't currently know the ports for
every single thing I might use(and some things I telnet to are on
nonstandard ports anyway) I'm probably going to use the example ruleset
#2 for IPFW with NAT, except that until such time as I know a little
more detail about what I need to block, I'll be assuming that anything
from the workstation is good traffic. That rule, however, is causing me
some concern, and I'd like to confirm that it has a good chance of
working before I go to the smoke test.
Thus, inserting at the appropriate point into the last example given on
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
the best I can cobble together is:
$cmd allow all from 192.168.0.2 to any out via $pif setup keep-state
Will this allow my workstation unhindered access to the Internet without
opening it to every single inbound port? I'm a little confused here.
I don't think I need anything but Apache (i.e. port 80 TCP) and SSL (22
TCP) inbound; the MySQL server is strictly internal, so the stock
ruleset otherwise seems pretty good to me. I can open up secure HTTP if
I get that working, based on the rules already there.
Please send replies directly to me.
Thanks in advance,
-BB
More information about the freebsd-questions
mailing list