Very Computer

I have the DaemonNews 4CD set (4.6), willing to donate them to my
friend just to give him a taste of open source and stop wasting more
money and upgrade his NT4-Server and his Remote Management software
(App layer encrypted, one one UDP and three TCP (1667, ....)

Here is the scenario.  Internet browsing is working ok via a single
static IP provided by covad. (one public IP is NATed via the FreeBSD
4.6) The "HOST"
side ("Answering side-see diagram below") is behind the NATD/IPFW.
TelnetD will be running with TCP wrapper enabled and one host from the
inside lan will be allowed to telnet to the firewall/NATD box.
All other services will be turned off.

##
Remote Client is already running and coming from 4.168.0.0 NET, PPPoE.
(FreeBSD4.5 as the gateway) and NT4-Worksation with the client
software.

                                                     |---PC 192...
Provider CPE                           |4.6-FBSD|    |---PC 192...
                                                     |---PC 192...
198.167.167.101                    198.167.167.102   |
Fujitsu 1.5/384----198.167.167.100/30 ----NATD/----|--NT-Srvr(rmt mgt
Static IP                              | IPFW |        192.168.168.169
                                                     |---
                                                     |---PC 192...

                                        Inside NET=192.168.168.168/29

1. DO I need just the two rules in my rc.firewall.current
   below  -############################?

 $fwcmd add allow udp from 4.168.0.0/16 to $oip 222 setup
 $fwcmd add allow tcp from 4.168.0.0/16 to $oip 1667,1668,1669 setup

2. or do I need to set up  the ff.  "too" (/etc/natd.conf file.)  

redirect_port udp 192.168.168.169:222
redirect_port tcp 192.168.168.169:1667
redirect_port tcp 192.168.168.169:1668
redirect_port tcp 192.168.168.169:1669

----------------------------------------

snip

#       Divert all packets through natd
        $fwcmd add divert natd all from any to any via $oif
#
#       Allow all established connections to persist (setup required
#       for new connections).
        $fwcmd add allow tcp from any to any established
#
#       Allow incoming requests to reach the following services:
#       To allow multiple services you may list them separated
#       by a coma, for example ...to $oip 22,25,110,80 setup
#     ############################################################  
##     #$fwcmd add allow tcp from any to $oip 22 setup
  $fwcmd add allow udp from 4.168.0.0/16 to $oip 222 setup
  $fwcmd add allow tcp from 4.168.0.0/16 to $oip 1667,1668,1669 setup
##################################################################
#       NOTE: you may have to change your client to passive or active mode
#               to get ftp to work once enabled, only ssh enabled by default.
#       21:ftp
#       22:ssh          enabled by default
#       23:telnet
#       25:smtp
#       110:pop
#       143:imap
#       80:http
#       443:ssl
#
#       Allow icmp packets for diagnostic purposes (ping traceroute)
#       you may wish to leave commented out.
#       $fwcmd add allow icmp from any to any

snip

I cannot experiment with the FreeBSD box because it is too far (at
least 2Hr)
and very limited time to have this setup.

Thanks.
Aykat Sue

aykat sue,

You do not, necessarily, need to divert packets in your firewall.

You DO need to have "options IPDIVERT" and "options IPFIREWALL" compiled
into your kernel.

See Chapters 9, 10, and 18 in the FreeBSD Handbook at:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html

Between these three chapters, you should be able to determine what options,
features, and settings you need for your particular situation...

--

Mike Todd
President, Mike Todd Associates www.MikeTodd.com
Supporting the Digital Coast

President, Internet Society Los Angeles Chapter www.ISOC-LosAngeles.org

Center for Entrepreneurship and Technology Law
Pepperdine University Law School

  Voice:  714-846-7257
  FAX:    714-846-5716
  Cell:   714-222-3700

I have the DaemonNews 4CD set (4.6), willing to donate them to my
friend just to give him a taste of open source and stop wasting more
money and upgrade his NT4-Server and his Remote Management software
(App layer encrypted, one one UDP and three TCP (1667, ....)

Here is the scenario.  Internet browsing is working ok via a single
static IP provided by covad. (one public IP is NATed via the FreeBSD
4.6) The "HOST"
side ("Answering side-see diagram below") is behind the NATD/IPFW.
TelnetD will be running with TCP wrapper enabled and one host from the
inside lan will be allowed to telnet to the firewall/NATD box.
All other services will be turned off.

##
Remote Client is already running and coming from 4.168.0.0 NET, PPPoE.
(FreeBSD4.5 as the gateway) and NT4-Worksation with the client
software.

                                                     |---PC 192...
Provider CPE                           |4.6-FBSD|    |---PC 192...
                                                     |---PC 192...
198.167.167.101                    198.167.167.102   |
Fujitsu 1.5/384----198.167.167.100/30 ----NATD/----|--NT-Srvr(rmt mgt
Static IP                              | IPFW |        192.168.168.169
                                                     |---
                                                     |---PC 192...

                                        Inside NET=192.168.168.168/29

1. DO I need just the two rules in my rc.firewall.current
   below  -############################?

 $fwcmd add allow udp from 4.168.0.0/16 to $oip 222 setup
 $fwcmd add allow tcp from 4.168.0.0/16 to $oip 1667,1668,1669 setup

2. or do I need to set up  the ff.  "too" (/etc/natd.conf file.)

redirect_port udp 192.168.168.169:222
redirect_port tcp 192.168.168.169:1667
redirect_port tcp 192.168.168.169:1668
redirect_port tcp 192.168.168.169:1669

----------------------------------------

snip

# Divert all packets through natd
$fwcmd add divert natd all from any to any via $oif
#
# Allow all established connections to persist (setup required
# for new connections).
$fwcmd add allow tcp from any to any established
#
# Allow incoming requests to reach the following services:
# To allow multiple services you may list them separated
# by a coma, for example ...to $oip 22,25,110,80 setup
#     ############################################################
##     #$fwcmd add allow tcp from any to $oip 22 setup
  $fwcmd add allow udp from 4.168.0.0/16 to $oip 222 setup
  $fwcmd add allow tcp from 4.168.0.0/16 to $oip 1667,1668,1669 setup
##################################################################
# NOTE: you may have to change your client to passive or active mode
# to get ftp to work once enabled, only ssh enabled by default.
# 21:ftp
# 22:ssh enabled by default
# 23:telnet
# 25:smtp
# 110:pop
# 143:imap
# 80:http
# 443:ssl
#
# Allow icmp packets for diagnostic purposes (ping traceroute)
# you may wish to leave commented out.
# $fwcmd add allow icmp from any to any

snip

I cannot experiment with the FreeBSD box because it is too far (at
least 2Hr)
and very limited time to have this setup.

Thanks.
Aykat Sue

Thank you Todd.

I believe I do need the "options IPDIVERT" and "options IPFIREWALL"
in my kernel config (HOST side - see diagram), since covad gave me
only one routable IP (slash 30) and I have 5 machines inside the
firewall

I am just worried about the redirect_port since I've never tried them
before.

----------------------------------------------
redirect_port udp 192.168.168.169:222  222
redirect_port tcp 192.168.168.169:1667  1667
redirect_port tcp 192.168.168.169:1668  1668
redirect_port tcp 192.168.168.169:1669  1669
----------------------------------------------

Rgds,
Aykat Sue