#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2003
    Location
    London, United Kingdom.
    Posts
    3
    Rep Power
    0

    Hello. I wonder if you can help me please.


    Hi there.
    I hope you can help.
    I'm having a nightmare trying to get this sorted, and the more reading I do, the more I confuse myself, I have been to the FreeBSD handbook many many times. But can you just confirm I have the right idea here please?

    I have a business cable connection, which is connected directly to an Ethernet on my FreeBSD box which is running 4.8-RELEASE. The modem it's using is a Samsung SCM140.
    I have been fortunate to obtain a Toshiba 2450-S402 P4 laptop. I wish to allow the laptop to use the same connection.

    The laptop needs no ports open, as it's just for me to access the net, the FreeBSD box however is a webserver.

    Ok, so I started the reading.

    I know I must place new NIC in FreeBSD box.
    Then I need to load IPFIREWALL and IPIDIVERT modules, which I read how to do this was to edit to /usr/src/sys/i386/conf/GENERIC:

    and add:

    options IPFIREWALL
    options IPDIVERT

    and then re-compile the kernel via:

    cd /usr/src
    make buildkernel KERNCONF=dan
    make installkernel KERNCONF=dan

    Then I read I had to add the following to /etc/rc.conf:
    gateway_enable="YES"
    firewall_enable="YES"
    firewall_type="OPEN"
    natd_enable="YES"
    natd_interface="sis0"
    natd_flags=""

    And then I read that I had to assign the FreeBSD box and the laptop private IPs, perferably something like
    FreeBSD box private IP: 192.168.0.1, Windows box: 192.168.0.2.
    I couldn't find any info on how to do to this?

    How near am I to understanding this, and what else do I need to do PLEASE?
    If you can guide me, it'd be much appreciated.
    With advance thanks!
  2. #2
  3. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2003
    Location
    London, United Kingdom.
    Posts
    3
    Rep Power
    0
    Ok. Hopefully this will be the last time I annoy you guys!
    I really appreciate the information you've given me.
    Excuse the idiots guide i've down below, but this is what I'm *sure* after all the reading that I have to do.
    Fortunately, while I kindly wait for your confirmation (please!!!) I had to order a new CrossOver cable which will be delivered.

    FYI: sis0 is the Ethernet connected to the business cable mode, sis1 is the new Ethernet which will connect to the Laptop.

    Here's what I believe I should do:

    1. Place new NIC in FreeBSD box.

    2. Load IPFIREWALL and IPIDIVERT modules, to /usr/src/sys/i386/conf/GENERIC:

    options IPFIREWALL
    options IPDIVERT

    cd /usr/src
    make buildkernel KERNCONF=GENERIC
    make installkernel KERNCONF=GENERIC

    3. Add the following to /etc/rc.conf:

    gateway_enable="YES"
    firewall_enable="YES"
    firewall_type="OPEN"
    natd_enable="YES"
    natd_interface="sis0"
    natd_flags=""
    firewall_script="/etc/firewall/fwrules"

    Also, add "ifconfig_sis1="inet 192.168.0.1 netmask 255.255.255.0"

    4. ifconfig sis1 inet 192.168.0.1/24

    On the Laptop (WinXP) Set ip: 192.168.0.2, subnet 255.255.255.0, default gateway 192.168.0.1 and nameservers.

    And finally, my fwrules:

    # Define the firewall command (as in /etc/rc.firewall) for easy
    # reference. Helps to make it easier to read.
    fwcmd="/sbin/ipfw"

    # Force a flushing of the current rules before we reload.
    $fwcmd -f flush

    # Divert all packets through the tunnel interface.
    $fwcmd add divert natd all from any to any via sis0

    # Allow all connections that have dynamic rules built for them,
    # but deny established connections that don't have a dynamic rule.
    # See ipfw(8) for details.
    $fwcmd add check-state
    $fwcmd add deny tcp from any to any established

    # Allow all localhost connections
    $fwcmd add allow tcp from me to any out via lo0 setup keep-state
    $fwcmd add deny tcp from me to any out via lo0
    $fwcmd add allow ip from me to any out via lo0 keep-state

    # Allow all connections from my network card that I initiate
    $fwcmd add allow tcp from me to any out xmit any setup keep-state
    $fwcmd add deny tcp from me to any
    $fwcmd add allow ip from me to any out xmit any keep-state

    # Everyone on the Internet is allowed to connect to the following
    # services on the machine. This example specifically allows connections
    # to sshd and a webserver.
    $fwcmd add allow tcp from any to me dst-port 80,25,22 in recv any setup keep-state

    # This sends a RESET to all ident packets.
    $fwcmd add reset log tcp from any to me 113 in recv any

    # Enable ICMP: remove type 8 if you don't want your host to be pingable
    $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14

    # Deny all the rest.
    $fwcmd add deny log ip from any to any

    Do you believe all that is correct?
    I just have one problem ...
    I tried running the IPFW script, and as soon as I did - no outsider could connect to the port 80, even though I restarted apachectl, as soon as I disabled those rules - it worked.
    I cannot see what is actually wrong with the rules, so if you can guide me on that - it'd be much appreciated.

    Thanks again for your assistance.
    It's much appreciated.

IMN logo majestic logo threadwatch logo seochat tools logo