RE: FreeBSD Gateway problems

From: Ruben Bloemgarten (ruben_at_bloemgarten.demon.nl)
Date: 08/15/05

  • Next message: Daniel Gerzo: "Re[2]: Only some IP's (SSHd)" 
    To: "'Tim Holmes'" <tim@unixtechs.org>, <freebsd-questions@freebsd.org>
Date: Mon, 15 Aug 2005 18:35:59 +0200

    Hi Tim,

    Which of the firewalls do you want to use and if you want to use both what
    do you want the functionality to be? If you can send your rc.conf,ipf.conf
    and ipnat.conf I could check out the ipf part and see if I find anything.
    Obviously Glen's experience with ipfw is more extensive than mine so he
    would most likely be of more help on that front. It would however of great
    help to know what you're trying to accomplish.

    Regards,
    Ruben

    -----Original Message-----
    From: owner-freebsd-questions@freebsd.org
    [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Tim Holmes
    Sent: August 15, 2005 10:47 AM
    To: freebsd-questions@freebsd.org
    Subject: FreeBSD Gateway problems

    For years I've used a FreeBSD as my gateway. Well I haven't had a high
    speed connection for 3 years now, and I've just gotten it back. Since
    then I've reloaded the machine from 4.3 to 5.3. I thought I had it all
    set up so when I did get connection, I could make a quick edit to my
    rc.conf and I'd be ready to go. Well turns out I was way off.

    The machine has no problems geting an IP from the cable modem, and I can
    get anywhere I want from that machine directly. (I'm currently ssh'd to
    the router machine to send email, use w3m to find How-Tos) But it won't
    pass traffic from the rest of the network.

    Here are the settings in my rc.conf:

    gateway_enable="YES" # Enable as Lan gateway
    # firewall_enable="YES"
    natd_enable="YES"
    natd_interface="xl0"
    natd_flags="-f /etc/natd.conf"
    ipmon_enable="YES"
    ipmon_flags="-Ds"

    The firewall_enable is disable now because when it's turned on, I can't
    actually get out from directly on the machine. At this point I just want
    it to do the routing and then I can work on building a firewall afterwards.

    Before I did the update and rebuilt the kernel yesterday, I had these
    options
    in rc.conf

    # ipnat_enable="YES" # Start ipnat function
    # ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
    # ipfilter_enable="YES" # Start ipf firewall
    # ipfilter_rules="/etc/ipf.rules" # loads rules definition text file

    Well all these other How-Tos I found on FreeBSDDiary.org told me all I
    needed
    was "gateway_enable=YES" and "firewall_enable=YES". Also to add these two
    options to the kernel:

    options IPFILTER
    options IPDIVERT

    But that wasn't working. Another mentioned I needed
    defaultrouter="192.168.2.254",
    but that's not doing it either. It wasn't actually running nat, and I'd get
    errors
    if I tried to start. Here's the message I saw at boot after a new kernel.

    1: unexpected keyword (any) - from
    /sbin/ipf: /etc/ipf.rules: parse error (-1), quitting
    /etc/rc: WARNING: NO IPNAT RULES

    After following some other How-Tos I tried running ipfw, but I keep getting
    an error
    message that won't return any helpful searches from Google.

    # ipnat -f /etc/ipnat.conf
    ioctl(SIOCGNATS): Operation not permitted
    # ipfw -f flush
    ipfw: setsockopt(IP_FW_FLUSH): Protocol not available
    # ipf -FA -f /etc/ipf.rules
    ioctl(SIOCIPFFL): Operation not permitted
    # ipfw add divert natd all from any to any via xl0
    ipfw: getsockopt(IP_FW_ADD): Protocol not available

    None of those error messages will give me anything to go. So I'm at a lose
    here. Can
    anybody point me to How-To, or share their rc.conf edits to make this work?

    I know this was a little long, but thanks in advance for the help.

    tdh 

    -- 
 ----------------+-------------------------------------------------
       \./       |     Tim Holmes  --  em@il: tim@unixtechs.org
      (0Y0)      |         UIN: 17021091  -- AIM: tdh004
 -ooO--(_)--Ooo--+-------------------------------------------------
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 08/14/2005
-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 08/14/2005
 
-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 08/14/2005
 
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
  • Next message: Daniel Gerzo: "Re[2]: Only some IP's (SSHd)"

    Relevant Pages

    • FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault?
      ... What in IPFW is stopping it from reading into a VLAN tagged packet (if it ... No virus found in this outgoing message. ... Checked by AVG Anti-Virus. ...
      (freebsd-net)
    • Couple of network questions (NAT, firewalls)
      ... Let's start with firewalls. ... I've compiled my kernel to support both ipfw and ipf. ... ipfw add 500 divert natd all from 192.168.0.5 to any via re0 pfw add ... So what is that connection between nat and ssh? ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Large number of http connections immediately dropped
      ... We didn't see this problem after recompiling without SMP support and waiting for a day or two, but that immediately brought the load average up to around 50 and made it much slower, so that's clearly not a solution. ... The reason to ask the firewall question (ipfw, pf, etc) is that as the rate of TCP connections goes up, and if there are a small number of addresses involved, the reuse rate for TCP/IP port/address tuples becomes very high, which can cause connections to reuse tuples too quickly. ... Sometimes firewalls are more sensitive to this than the stack -- especially if those firewalls are doing things like randomizing port numbers, TCP sequence numbers, etc, so in the past there have been reports along those lines. ...
      (freebsd-performance)
    • Re: firewall on FreeBSD
      ... The two firewalls work very differently. ... it implies that somehow ipfw could support ... the quick keyword, and that is nonsensical. ...
      (freebsd-questions)
    • Re: Home Network, step by step?
      ... most modern firewalls - like ... ipf and pf in FreeBSD - are now not so much firewalls, but packet filters. ... IPFW. ... professional user or the advanced technical computer hobbyist who have ...
      (freebsd-newbies)