October 8th, 2003, 06:11 AM
Hello. I wonder if you can help me please.
I hope you can help.
I'm having a nightmare trying to get this sorted, and the more reading I do, the more I confuse myself, I have been to the FreeBSD handbook many many times. But can you just confirm I have the right idea here please?
I have a business cable connection, which is connected directly to an Ethernet on my FreeBSD box which is running 4.8-RELEASE. The modem it's using is a Samsung SCM140.
I have been fortunate to obtain a Toshiba 2450-S402 P4 laptop. I wish to allow the laptop to use the same connection.
The laptop needs no ports open, as it's just for me to access the net, the FreeBSD box however is a webserver.
Ok, so I started the reading.
I know I must place new NIC in FreeBSD box.
Then I need to load IPFIREWALL and IPIDIVERT modules, which I read how to do this was to edit to /usr/src/sys/i386/conf/GENERIC:
and then re-compile the kernel via:
make buildkernel KERNCONF=dan
make installkernel KERNCONF=dan
Then I read I had to add the following to /etc/rc.conf:
And then I read that I had to assign the FreeBSD box and the laptop private IPs, perferably something like
FreeBSD box private IP: 192.168.0.1, Windows box: 192.168.0.2.
I couldn't find any info on how to do to this?
How near am I to understanding this, and what else do I need to do PLEASE?
If you can guide me, it'd be much appreciated.
With advance thanks!
October 8th, 2003, 08:18 PM
Ok. Hopefully this will be the last time I annoy you guys!
I really appreciate the information you've given me.
Excuse the idiots guide i've down below, but this is what I'm *sure* after all the reading that I have to do.
Fortunately, while I kindly wait for your confirmation (please!!!) I had to order a new CrossOver cable which will be delivered.
FYI: sis0 is the Ethernet connected to the business cable mode, sis1 is the new Ethernet which will connect to the Laptop.
Here's what I believe I should do:
1. Place new NIC in FreeBSD box.
2. Load IPFIREWALL and IPIDIVERT modules, to /usr/src/sys/i386/conf/GENERIC:
make buildkernel KERNCONF=GENERIC
make installkernel KERNCONF=GENERIC
3. Add the following to /etc/rc.conf:
Also, add "ifconfig_sis1="inet 192.168.0.1 netmask 255.255.255.0"
4. ifconfig sis1 inet 192.168.0.1/24
On the Laptop (WinXP) Set ip: 192.168.0.2, subnet 255.255.255.0, default gateway 192.168.0.1 and nameservers.
And finally, my fwrules:
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
# Divert all packets through the tunnel interface.
$fwcmd add divert natd all from any to any via sis0
# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add deny tcp from any to any established
# Allow all localhost connections
$fwcmd add allow tcp from me to any out via lo0 setup keep-state
$fwcmd add deny tcp from me to any out via lo0
$fwcmd add allow ip from me to any out via lo0 keep-state
# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny tcp from me to any
$fwcmd add allow ip from me to any out xmit any keep-state
# Everyone on the Internet is allowed to connect to the following
# services on the machine. This example specifically allows connections
# to sshd and a webserver.
$fwcmd add allow tcp from any to me dst-port 80,25,22 in recv any setup keep-state
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any
# Enable ICMP: remove type 8 if you don't want your host to be pingable
$fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
# Deny all the rest.
$fwcmd add deny log ip from any to any
Do you believe all that is correct?
I just have one problem ...
I tried running the IPFW script, and as soon as I did - no outsider could connect to the port 80, even though I restarted apachectl, as soon as I disabled those rules - it worked.
I cannot see what is actually wrong with the rules, so if you can guide me on that - it'd be much appreciated.
Thanks again for your assistance.
It's much appreciated.