Setting up a FreeBSD gateway (more detail) and IPFW

Sun Jan 8 21:14:49 PST 2006

Thanks to those who replied to my previous call for help. Now I think 
it's time I actually provide some relevant detail.

I've got two computers - one is my workstation, one is my server / 
gateway-to-be. My outside connection is via a hub to a cable modem; 
currently I have my workstation rigged directly to it with no problems.

I'll go over what I've done so far, and hope that if I've made a glaring 
error someone will be able to point it out.

- I have two NICs: ed0 and rl0. ed0 will be connected to my workstation, 
rl0 to the hub and thence the Internet.
- I've configured a custom kernel per the directions in the handbook on 
NAT - that is, IPFIREWALL and IPDIVERT are in there.
- I have the various options set in rc.conf, with natd_interface="rl0".
- To set up the NICs, I have ifconfig_ed0="192.168.0.1" and 
ifconfig_rl0="DHCP". I'll set my workstation to use 192.168.0.2 if I can 
figure out why it's locking my NIC / IP settings(that's a WinXP issue).
- In my named.conf, under forwarders, I set one of my ISP's DNS servers. 
(Is it possible, and if so, beneficial, to put more than one entry 
there? My ISP gives me four.) I'm only running a caching DNS, so I 
otherwise left named.conf alone.
- I've run the make-localhost script in /etc/namedb.
- I've put named_enable="YES" in rc.conf as well.

Ideally, I'd like to be able to leave my workstation's network settings 
alone, and set up DHCP; however, a look over the ports suggests that's 
far more trouble than it's worth for a single client that doesn't really 
need such flexibility.

I don't have any servers running on my workstation, so I've no need to 
allow traffic from the 'net to get through the firewall to the 
LAN(servers on the gateway itself are another matter). However, the 
firewall is still my biggest challenge.

To get set up and running, since I don't currently know the ports for 
every single thing I might use(and some things I telnet to are on 
nonstandard ports anyway) I'm probably going to use the example ruleset 
#2 for IPFW with NAT, except that until such time as I know a little 
more detail about what I need to block, I'll be assuming that anything 
from the workstation is good traffic. That rule, however, is causing me 
some concern, and I'd like to confirm that it has a good chance of 
working before I go to the smoke test.

Thus, inserting at the appropriate point into the last example given on

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html

the best I can cobble together is:

$cmd allow all from 192.168.0.2 to any out via $pif setup keep-state

Will this allow my workstation unhindered access to the Internet without 
opening it to every single inbound port? I'm a little confused here.

I don't think I need anything but Apache (i.e. port 80 TCP) and SSL (22 
TCP) inbound; the MySQL server is strictly internal, so the stock 
ruleset otherwise seems pretty good to me. I can open up secure HTTP if 
I get that working, based on the rules already there.

Please send replies directly to me.

Thanks in advance,

-BB