I've recently bought a cheap barebones system (http://www.tigerdirect.com/applications/SearchTools/item-details.asp?EdpNo=1027006&CatId=336) which I installed 3 10/100/1000 NIC's on, as well as FreeBSD 5.4 and I'm currently attempting to turn it into a firewall gateway for my network (http://www.stealthbot.net/forum/uploads/post-51-1125120758.jpg).
I managed to setup natd on it just fine, but I'd rather use ipnat, however after I got it all setup, I noticed that it wasn't allowing connections, even to the loopback addresses.
re0 connects to my DSL modem.
vge0 connects to my wired internal network.
vge1 connects to my wireless internal network.
Options added to GENERIC kernel:
# natd
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options TCP_DROP_SYNFIN
# IPSec
options IPSEC
options IPSEC_ESP
# ipf / ipnat / ipmon
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
/etc/rc.conf:
# -- sysinstall generated deltas -- # Fri Sep 2 10:11:46 2005
# Created: Fri Sep 2 10:11:46 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
apm_enable="YES"
ibcs2_enable="YES"
linux_enable="YES"
lpd_enable="YES"
moused_enable="YES"
nfs_reserved_port_only="YES"
svr4_enable="YES"
usbd_enable="YES"
sshd_enable="YES"
# -- sysinstall generated deltas -- # Sat Sep 3 23:39:19 2005
kern_securelevel="1"
kern_securelevel_enable="YES"
ifconfig_vge0="inet 192.168.1.1 netmask 255.255.255.0"
gateway_enable="YES"
# natd
#firewall_enable="YES"
#firewall_script="/etc/rc.firewall"
#firewall_type="open"
#firewall_quiet="NO"
#natd_program="/sbin/natd"
#natd_enable="YES"
#natd_interface="re0"
#natd_flags="-f /etc/natd.conf"
# ip
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags=""
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
ipmon_enable="YES"
ipmon_flags="-Dsn"
tcp_drop_synfin="YES"
# ifconfig
ifconfig_re0="inet 192.168.254.1 netmask 255.255.255.0"
ipv6_enable="YES"
defaultrouter="192.168.254.254"
hostname="EFWGW.xDSL"
ifconfig_vge1="inet 192.168.2.100 netmask 255.255.255.0"
/etc/ipnat.rules:
# Dev Inside IP Local Inet IP
map re0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map re0 192.168.2.0/24 -> 0/32 proxy port ftp ftp/tcp
# Map all tcp and udp connections from 192.168.1.0/24 to external IP address,
# changing the source port number to something between 40,000 and 60,000
# inclusive
map re0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
map re0 192.168.2.0/24 -> 0/32 portmap tcp/udp 40000:60000
# For all other IP packets, map to the external IP address
map re0 192.168.1.0/24 -> 0/32
map re0 192.168.2.0/24 -> 0/32
/etc/ipf.rules:
oif="re0"
odns="192.168.254.254"
myip="192.168.254.1"
ks="keep state"
fks="flags S keep state"
# Allow all loopback
pass in quick on lo0 all
pass out quick on lo0 all
# Allow all re0
pass in quick on re0 all
pass out quick on re0 all
# Allow all vge0
pass in quick on vge0 all
pass out quick on vge0 all
# Allow all vge1
pass in quick on vge1 all
pass out quick on vge1 all
# Allow all fxp0
pass in quick on fxp0 all
pass out quick on fxp0 all
# Allow all plip0
pass in quick on plip0 all
pass out quick on plip0 all
On FreeBSD 5.4 OpenBSD's pf is built into the base system. I recommend pf, it is really easy to configure and there is excellent documentation.
FreeBSD Handbook on pf (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html)
FreeBSD man page on pf.conf (http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=FreeBSD+5.4-RELEASE+and+Ports&format=html)
OpenBSD pf handbook (http://www.openbsd.org/faq/pf/) (the easiest to read)
An example pf.conf can be found at /etc/pf.conf
However, I'll look over ipf and ipnat when I get a chance.
Btw pf uses altq too, so you can limit bandwidth for particular groups of people. Pf is more than just an ordinary packet filter, it can perform NAT, ingress filtering, egress filtering, and stateful inspection...etc...
Quote from: David on September 09, 2005, 03:12 PM
Wireless routers are horrible.
Actually, if you were doing wireless and you absolutely wanted 99.99% privacy (as well as regulate connections), it would be very smart to use encrypted PPTP.