ipfw/natd settings for home network connected to cable internet via FreeBSD gateway?

ipfw/natd settings for home network connected to cable internet via FreeBSD gateway?

Post by Yann Rami » Thu, 06 Jul 2000 04:00:00




> Hello,

> I have just set up a FreeBSD 4.--Stable machine as a gateway between my
> home network (another FreeBSD stable machine and a Win98 machine) and the
> big wide world via a cable internet connection. It currently uses
> natd_enable="YES" and the standard firewall_type="OPEN". This is all
> working ok - I can access the Internet from my internal machines.

> Now I want to implement a real firewall on the gateway machine. However,
> I'm not sure which firewall type I want. Looking at the ipfw rules for type
> "client" and "simple" they don't really look like what I'm after. I
> basically want the internal machines to be able to do anything they want as
> far as connection outwards, but I don't want to allow any connections in
> from outside. Some time in the future, I may want to open up a single
> incoming port for ssh.

> Can somebody please give me some clues or point me at some doco (more then
> the handbook) for this.

> Thanks,
>         Graham

(please correct me if I'm wrong)

natd should take care of this.  What natd does is remap port numbers, so
it is impossible for an outside machine to access your internal network
(this breaks some things, i.e., RTSP Quicktime Streaming, active mode
FTP, some SNMP).  Take this diagram.

internal port out 80 in 1000  <----> natd port out 80 in 1024 <---> www
server port out 1024 in 80

  When your internal opens a TCP connection to the www server, it flows
over the natd box.  natd then transparently remashes the connection to
come from another port on its self, but remembers that when packets flow
in this port, they should be regurgitated on the internal network on the
port your machine is using.  It will not open connections the other way
around since it has no way of knowing where to put the packets (packet
forwarders??).

But its a good idea to secure the natd machine, if someone breaks into
that, then they get on the internal network.

Yann

--

--------------------------------------------------------------------

Atrus Trivalie Productions      www.redshift.com/~yramin
Monterey High IT                www.montereyhigh.com
ICQ                             46805627
AIM                             oddatrus
Marina, CA

IRM Developer                   Network Toaster Developer
SNTS Developer                  * Developer

"All cats die.  Socrates is dead.  Therefore Socrates is a cat."
        - The Logician
--------------------------------------------------------------------

 
 
 

ipfw/natd settings for home network connected to cable internet via FreeBSD gateway?

Post by Graham Menhennit » Fri, 07 Jul 2000 04:00:00


Hello,

I have just set up a FreeBSD 4.--Stable machine as a gateway between my
home network (another FreeBSD stable machine and a Win98 machine) and the
big wide world via a cable internet connection. It currently uses
natd_enable="YES" and the standard firewall_type="OPEN". This is all
working ok - I can access the Internet from my internal machines.

Now I want to implement a real firewall on the gateway machine. However,
I'm not sure which firewall type I want. Looking at the ipfw rules for type
"client" and "simple" they don't really look like what I'm after. I
basically want the internal machines to be able to do anything they want as
far as connection outwards, but I don't want to allow any connections in
from outside. Some time in the future, I may want to open up a single
incoming port for ssh.

Can somebody please give me some clues or point me at some doco (more then
the handbook) for this.

Thanks,
        Graham