Re: Which interface do I put natd and ipfw
Hi Lowell, Thanks for the info. You are right. I don't need the ip address for the external interface in order to configure the firewall. I couldn't understand the sample files that came with ipfw. I thought I had to follow the sample file the way it was given. Now I know I can change it to the way I want. Thanks once again. regds ed On Tue, 3 Feb 2004 12:40 am, you wrote: Emmanuel Dwamena [EMAIL PROTECTED] writes: I need help to set up firewall on my freebsd 5.1 box. I have built new kernel with ipfw enabled and is working fine. I need to know which of the 3 interfaces do I put the natd and ipfw. My freebsd 5.1 box has 2 nic cards. ed0 connects to LAN and ed1 connects to adsl modem. I use user ppp to setup the connection to the isp who assigns dynamic ip address to the tun0 interface. I have no ip address assigned to ed1. I have traffc coming in through the tun0 from outside to the LAN. Which of the interfaces do I use to block unwanted traffic from the internet.- ed1 or tun0? tun0 How do I configure the tun0 interface for the firewall since I do not know the interface address before hand? You have two choices; either don't use the address in the firewall setup at all (it isn't really useful...) or use the me keyword for the address (see ipfw(8)). Secondly which interface do I place natd? tun0 -- email: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which interface do I put natd and ipfw
Dear friends, I need help to set up firewall on my freebsd 5.1 box. I have built new kernel with ipfw enabled and is working fine. I need to know which of the 3 interfaces do I put the natd and ipfw. My freebsd 5.1 box has 2 nic cards. ed0 connects to LAN and ed1 connects to adsl modem. I use user ppp to setup the connection to the isp who assigns dynamic ip address to the tun0 interface. I have no ip address assigned to ed1. I have traffc coming in through the tun0 from outside to the LAN. Which of the interfaces do I use to block unwanted traffic from the internet.- ed1 or tun0? How do I configure the tun0 interface for the firewall since I do not know the interface address before hand? Secondly which interface do I place natd? If anyone has configured adsl with dynamic ip address assigned to tun0 I will like to have some info about how it was configured with ipfw. regds ed -- email: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which interface do I put natd and ipfw
Check this doc out: http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html Extech *** REPLY SEPARATOR *** On 2004/02/02 at 23:44 Emmanuel Dwamena wrote: Dear friends, I need help to set up firewall on my freebsd 5.1 box. I have built new kernel with ipfw enabled and is working fine. I need to know which of the 3 interfaces do I put the natd and ipfw. My freebsd 5.1 box has 2 nic cards. ed0 connects to LAN and ed1 connects to adsl modem. I use user ppp to setup the connection to the isp who assigns dynamic ip address to the tun0 interface. I have no ip address assigned to ed1. I have traffc coming in through the tun0 from outside to the LAN. Which of the interfaces do I use to block unwanted traffic from the internet.- ed1 or tun0? How do I configure the tun0 interface for the firewall since I do not know the interface address before hand? Secondly which interface do I place natd? If anyone has configured adsl with dynamic ip address assigned to tun0 I will like to have some info about how it was configured with ipfw. regds ed -- email: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which interface do I put natd and ipfw
Emmanuel Dwamena [EMAIL PROTECTED] writes: I need help to set up firewall on my freebsd 5.1 box. I have built new kernel with ipfw enabled and is working fine. I need to know which of the 3 interfaces do I put the natd and ipfw. My freebsd 5.1 box has 2 nic cards. ed0 connects to LAN and ed1 connects to adsl modem. I use user ppp to setup the connection to the isp who assigns dynamic ip address to the tun0 interface. I have no ip address assigned to ed1. I have traffc coming in through the tun0 from outside to the LAN. Which of the interfaces do I use to block unwanted traffic from the internet.- ed1 or tun0? tun0 How do I configure the tun0 interface for the firewall since I do not know the interface address before hand? You have two choices; either don't use the address in the firewall setup at all (it isn't really useful...) or use the me keyword for the address (see ipfw(8)). Secondly which interface do I place natd? tun0 -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password public ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Which interface do I put natd and ipfw
facing Public internet (Inbound Section) # Interrogate packets originating from the public internet # destine for this gateway server or the private network. # # Deny all inbound traffic from non-routable reserved address spaces $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 00306 deny all from 192.0.2.0/24to any in via $pif #reserved for doc's $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D E multicast # Deny public pings $cmd 00310 deny icmp from any to any in via $pif # Deny ident $cmd 00315 deny tcp from any to any 113 in via $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 00320 deny tcp from any to any 137 in via $pif $cmd 00321 deny tcp from any to any 138 in via $pif $cmd 00322 deny tcp from any to any 139 in via $pif $cmd 00323 deny tcp from any to any 81 in via $pif # Deny any late arriving packets $cmd 00330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 00332 deny tcp from any to any established in via $pif # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for 'user ppp' type connection to # the public internet. This is the same IP address you captured # and used in the outbound section. #$cmd 00360 allow udp from any to xxx.xxx.xxx.xxx 67 in via $pif keep-state # Allow in standard www function because I have apache server $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet $cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID PW are passed over public # internet as clear text. # Delete this sample group if you do not have telnet server enabled. $cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2 # Reject Log all incoming connections from the outside $cmd 00499 deny log all from any to any in via $pif # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 00999 deny log all from any to any End of IPFW rules file ### You have to use an crossover cable to connect your single Lan pc to your FBSD gateway pc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Emmanuel Dwamena Sent: Monday, February 02, 2004 7:45 AM To: [EMAIL PROTECTED] Subject: Re: Which interface do I put natd and ipfw Dear friends, I need help to set up firewall on my freebsd 5.1 box. I have built new kernel with ipfw enabled and is working fine. I need to know which of the 3 interfaces do I put the natd and ipfw. My freebsd 5.1 box has 2 nic cards. ed0 connects to LAN and ed1 connects to adsl modem. I use user ppp to setup the connection to the isp who assigns dynamic ip address to the tun0 interface. I have no ip address assigned to ed1. I have traffc coming in through the tun0 from outside to the LAN. Which of the interfaces do I use to block unwanted traffic from the internet.- ed1 or tun0? How do I configure the tun0 interface for the firewall since I do not know the interface address before hand? Secondly which interface do I place natd? If anyone has configured adsl with dynamic ip address assigned to tun0 I will like to have some info about how it was configured with ipfw. regds ed -- email: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]