natd/ipfw

natd/ipfw

Post by Gael Jea » Wed, 03 Jul 2002 22:37:59



Hi everyone,

I configured a freebsd 4.6-relaease to be a ipfw/natd gateway between my
private LAN and the internet.
Everything is working fine until I reboot the box. natd does start at
boot time, I have to start it myself by typing "natd -n tun0 -dynamic"
at root prompt. Then everyone can to the internet again.
To connect to the internet, I use an ethernet ADSL modem with PPPoE. I
have 2 realtek ethernet cards : "rl0" for the modem and "rl1" for the LAN.

It seems that at boot time, natd try to use the interface "tun0" not
already configured by ppp.
Do I have to use the interface "tun0" or "rl0" it the firewall rules and
as the natd interface ?

By the way what is the difference between ppp and pppd ? Which one better ?

Here is my configuration ( only interesting part on files ) :

Kernelconf
# IPFW
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         IPDIVERT

/etc/rc.conf
ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0"
kern_securelevel_enable="NO"
# PPP/ADSL Wanadoo
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="wanadoo"
ppp_nat="NO"
# FIREWALL
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="/usr/local/etc/ipfw.rules"
firewall_quiet="NO"
firewall_logging_enable="YES"
# NAT
natd_enable="NO"
natd_interface="tun0"
natd_flags="-dynamic"

/etc/ppp/ppp.conf
default:
         set device PPPoE:rl0
         set speed sync
         set mru 1492
         set mtu 1492
         set ctsrts off

         # monitor line quality
         enable lqr

         # log just a bit
         set log phase tun

         # insert default route upon connection
         add default HISADDR
         enable tcpmssfixup

wanadoo:
       set authname <MyAuthName>
       set authkey <MyAuthKey>

/usr/local/etc/ipfw.rules
#
# Firewall rules
#
# NATD
add divert natd all from any to any via tun0

# loopback + ethernet interne
add allow ip from any to any via lo0
add allow ip from any to any via rl1

# tcp
add allow tcp from any to any out xmit tun0 setup
add allow tcp from any to any via tun0 established
add allow tcp from any to any 80 setup
add allow tcp from any to any 22 setup

# udp
add allow udp from any to any 53 out xmit tun0
add allow udp from any 53 to any in recv tun0

# icmp
add allow icmp from any to any

# log deny
add 65435 deny log ip from any to any

Thank you in advance,
Gael Jean.

 
 
 

natd/ipfw

Post by Loki » Thu, 04 Jul 2002 00:11:13




> I configured a freebsd 4.6-relaease to be a ipfw/natd gateway between my
> private LAN and the internet.
> Everything is working fine until I reboot the box. natd does start at
> boot time, I have to start it myself by typing "natd -n tun0 -dynamic"
> at root prompt. Then everyone can to the internet again.

Cool.

Probably a lot of people here are going to tell you all sort of things that
you should do to make it work in a more elegant way.

However, I'm going to tell you how to make it work in an easy, hackish way.

Put the command that you always find yourself typing at boot into
/etc/rc.local. This file gets executed after everything else in the rc
sequence.

Ought to solve your problem in a minimum of time.

--
Maybe I'll share my life with somebody... maybe not. But the truth is, when
I think back of my loneliest moments, there was usually somebody sitting
there next to me.

                --- Ally McBeal

 
 
 

natd/ipfw

Post by Marce » Thu, 04 Jul 2002 00:24:08


First, ppp is user mode ppp, while pppd is kernel mode.

Second, you have natd_enable set to NO in your kernel config


Quote:> Hi everyone,

> I configured a freebsd 4.6-relaease to be a ipfw/natd gateway between my
> private LAN and the internet.
> Everything is working fine until I reboot the box. natd does start at
> boot time, I have to start it myself by typing "natd -n tun0 -dynamic"
> at root prompt. Then everyone can to the internet again.
> To connect to the internet, I use an ethernet ADSL modem with PPPoE. I
> have 2 realtek ethernet cards : "rl0" for the modem and "rl1" for the LAN.

> It seems that at boot time, natd try to use the interface "tun0" not
> already configured by ppp.
> Do I have to use the interface "tun0" or "rl0" it the firewall rules and
> as the natd interface ?

> By the way what is the difference between ppp and pppd ? Which one better
?

> Here is my configuration ( only interesting part on files ) :

> Kernelconf
> # IPFW
> options         IPFIREWALL
> options         IPFIREWALL_VERBOSE
> options         IPFIREWALL_VERBOSE_LIMIT=100
> options         IPDIVERT

> /etc/rc.conf
> ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0"
> kern_securelevel_enable="NO"
> # PPP/ADSL Wanadoo
> ppp_enable="YES"
> ppp_mode="ddial"
> ppp_profile="wanadoo"
> ppp_nat="NO"
> # FIREWALL
> gateway_enable="YES"
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> firewall_type="/usr/local/etc/ipfw.rules"
> firewall_quiet="NO"
> firewall_logging_enable="YES"
> # NAT
> natd_enable="NO"
> natd_interface="tun0"
> natd_flags="-dynamic"

> /etc/ppp/ppp.conf
> default:
>          set device PPPoE:rl0
>          set speed sync
>          set mru 1492
>          set mtu 1492
>          set ctsrts off

>          # monitor line quality
>          enable lqr

>          # log just a bit
>          set log phase tun

>          # insert default route upon connection
>          add default HISADDR
>          enable tcpmssfixup

> wanadoo:
>        set authname <MyAuthName>
>        set authkey <MyAuthKey>

> /usr/local/etc/ipfw.rules
> #
> # Firewall rules
> #
> # NATD
> add divert natd all from any to any via tun0

> # loopback + ethernet interne
> add allow ip from any to any via lo0
> add allow ip from any to any via rl1

> # tcp
> add allow tcp from any to any out xmit tun0 setup
> add allow tcp from any to any via tun0 established
> add allow tcp from any to any 80 setup
> add allow tcp from any to any 22 setup

> # udp
> add allow udp from any to any 53 out xmit tun0
> add allow udp from any 53 to any in recv tun0

> # icmp
> add allow icmp from any to any

> # log deny
> add 65435 deny log ip from any to any

> Thank you in advance,
> Gael Jean.

 
 
 

natd/ipfw

Post by Gael Jea » Thu, 04 Jul 2002 00:30:53


Oops !!!!

Sorry about that :

Quote:> # NAT
> natd_enable="NO"
> natd_interface="tun0"
> natd_flags="-dynamic"

I put natd_enable="YES" and it works better, much better !

Sorry for the noise,
Gael Jean.

 
 
 

natd/ipfw

Post by Daniel Meyne » Thu, 04 Jul 2002 06:35:29


Gael Jean a crit :

Quote:> Hi everyone,

> I configured a freebsd 4.6-relaease to be a ipfw/natd gateway between my
> private LAN and the internet.
> Everything is working fine until I reboot the box. natd does start at
> boot time, I have to start it myself by typing "natd -n tun0 -dynamic"
> at root prompt. Then everyone can to the internet again.
> To connect to the internet, I use an ethernet ADSL modem with PPPoE. I
> have 2 realtek ethernet cards : "rl0" for the modem and "rl1" for the LAN.

> It seems that at boot time, natd try to use the interface "tun0" not
> already configured by ppp.
> Do I have to use the interface "tun0" or "rl0" it the firewall rules and
> as the natd interface ?

> By the way what is the difference between ppp and pppd ? Which one better ?

> Here is my configuration ( only interesting part on files ) :

> Kernelconf
> # IPFW
> options         IPFIREWALL
> options         IPFIREWALL_VERBOSE
> options         IPFIREWALL_VERBOSE_LIMIT=100
> options         IPDIVERT

> /etc/rc.conf
> ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0"
> kern_securelevel_enable="NO"
> # PPP/ADSL Wanadoo
> ppp_enable="YES"
> ppp_mode="ddial"
> ppp_profile="wanadoo"
> ppp_nat="NO"
> # FIREWALL
> gateway_enable="YES"
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> firewall_type="/usr/local/etc/ipfw.rules"
> firewall_quiet="NO"
> firewall_logging_enable="YES"
> # NAT
> natd_enable="NO"
> natd_interface="tun0"
> natd_flags="-dynamic"

> /etc/ppp/ppp.conf
> default:
>          set device PPPoE:rl0
>          set speed sync
>          set mru 1492
>          set mtu 1492
>          set ctsrts off

>          # monitor line quality
>          enable lqr

>          # log just a bit
>          set log phase tun

>          # insert default route upon connection
>          add default HISADDR
>          enable tcpmssfixup

> wanadoo:
>        set authname <MyAuthName>
>        set authkey <MyAuthKey>

> /usr/local/etc/ipfw.rules
> #
> # Firewall rules
> #
> # NATD
> add divert natd all from any to any via tun0

> # loopback + ethernet interne
> add allow ip from any to any via lo0
> add allow ip from any to any via rl1

> # tcp
> add allow tcp from any to any out xmit tun0 setup
> add allow tcp from any to any via tun0 established
> add allow tcp from any to any 80 setup
> add allow tcp from any to any 22 setup

> # udp
> add allow udp from any to any 53 out xmit tun0
> add allow udp from any 53 to any in recv tun0

> # icmp
> add allow icmp from any to any

> # log deny
> add 65435 deny log ip from any to any

> Thank you in advance,
> Gael Jean.

Cher Gael Jean,

Avec PPPoE, il est prfrable d'utiliser la fonction "nat" de ppp, au lieu de
natd.  Voyez la page suivante (ce n'est pas la meilleure : il en existe encore
bien d'autres sur Internet...) :

http://computer.homily-service.net/freebsd/adsl.htm

Diffrence ppp et pppd, voyez man ppp et man pppd : l'un est un protocole,
l'autre est un deamon utilisant le protocole ppp.

Pour ce qui est du firewall, avec PPPoE, c'est toujours tun0 qu'il faut
filtrer, et non l'interface ethernet.  Ne mettez pas non plus ppp0.

Bonne chance !

Daniel Meynen

 
 
 

1. NATD/IPFW and ping/traceroute swallowing.

Hi Guys,

is there a simple way wih an IPFW/NATD type firewall to prevent incoming
ping/traceroutes but yet allow me to still use ping/traceroute myself
from within my network? yes, I want to 'cloak' myself a bit. *L*

On a related issue, is there anyway I can make my ssh port invisible for
all but myself? I'd like to be able, when I'm away, to SSH in to my
system from the outside if I need to get some files or drop some files
off. Unfortunatley, when I am on the road there is no fixed IP or domain
associated with my laptop. Anybody any suggestions? Thanks!

Happy New Millenium!

--
  __
 /_/             Creator/Maintainer
/aul       "A Deamon's Guide To FreeBSD"
http://homes.acmecity.com/looneytunes/lunar/315/

2. SCSI errors

3. Linksys BEFW11S4 & FreeBSD 5.0 + natd + ipfw

4. NEC IDE CDROM changer and IDESCSI?

5. Help with Natd/ipfw

6. Any VLSI CAD tools for Linux

7. FreeBSD NATD/ipfw problems

8. Exceed<-->RedHat 7.0

9. NATD, IPFW, and port_redirection help

10. natd/ipfw with >2 networks

11. How to configure natd/ipfw so that netmeeting will work

12. natd, ipfw, cable modem, lan

13. NATD/ IPFW - How can I get Secure Web Conenctions on my Win2k BOX?