[Ss][Ii][Mm][Pp][Ll][Ee])
############
# This is a prototype setup for a simple firewall. Configure this
# machine as a named server and ntp server, and point all the machines
# on the inside at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="ed0"
onet="192.0.2.0"
omask="255.255.255.0"
oip="192.0.2.1" # set these to your inside interface network and netmask and ip
iif="ed1"
inet="192.0.2.1"
imask="255.255.255.0"
iip="192.0.2.17"I'm curious about the difference between 'inet' and 'iip', what each one stands for, and how to configure 'onet/oip' if the outside interface network is configured via DHCP.
I'm also curious about this little snippet (under the 'simple' profile):
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.What happens if this option is set in my kernel config file? Can I safely comment out this line and use the 'simple' profile without affecting natd?
Subhro wrote:
Hi Rishi,
You have to forward the ports required by WinVNC on the FreeBSD Gateway. Have you compiled IPDIVERT in your kernel? Read the ipfw manpages to find out how to forward ports.
Regards Subhro
Subhro Sankha Kar Indian Institute of Information Technology Block AQ-13/1, Sector V Salt Lake City PIN 700091 India -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rishi Chopra Sent: Sunday, January 11, 2004 1:42 PM To: Mike Maltese Cc: [EMAIL PROTECTED] Subject: Re: (Yet Another) Home Networking Question
I was able to get my network up and running with the suggestions below. To review, my setup is the following:
ISP FreeBSD Gateway Win2k Box
>----------rl0--------------rl1-------------------< ALL DHCP 192.168.0.1 192.168.0.2
rl0 is connected to the modem by ethernet and set for DHCP, the ISP's method of address asignment. rl1 is the second NIC in the BSD box, and is connected by crossover cable to the Win2k box. FreeBSD box and Win2k box can successfully ping each other, and both FreeBSD box and Win2k have working internet access. Everything is running A-OK.
If I wish to host WinVNC on the Win2k box, do I need to make any changes to the Gateway? Specifically, WinVNC requires the Win2k box to be listening on 5800 and 5900; I have opened these ports (and these ports only) on the Win2k box. Do I need to change rc.conf or any other files on the gateway to specify that all incoming connections on 5800 and 5900 be forwarded from rl0 to rl1? Am I gonna have to step up to IPFW (yuck!) ??
Thanks, Rishi
Mike Maltese wrote:
shell.As a first step, try adding these lines to rc.conf:(1) in /etc/rc.conf, I added the following natd_enable="YES" natd_interface="rl0" ### public interface connected to cable modem gateway_enable="YES" defaultrouter="192.168.0.1" ### LAN machines use this ifconfig_rl0="DHCP" ### Astound uses dhcp ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" ### use for LAN hostname="idfubar.dyndns.org"
firewall_enable="YES" firewall_type="open"
This will enable diversion of all traffic to natd. Read the man pages for natd and ipfw and http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html for more information.
The easiest way to reinitialize the system is to type "shutdown now". This
will drop you into single user mode. Press return when prompted for a
Hit Ctrl+D and the rc system will be run through and put you back intobox.
multi-user mode. Check for connectivity from the router and the Windows
As a side note, you can delete the defaultrouter entry. That's for your FreeBSD box, not LAN clients. It's getting reset by dhclient when it gets lease information from your ISP's DHCP server anyway.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
