On Tue, Mar 30, 2004 at 11:06:16AM +0300, Odhiambo Washington wrote:

> Now my only problem is that I have played a little with ipfw in a
> situation where I have just two interfaces, 1 external and 1 internal.
> My current requirement however involves one external interface and
> four (or more) internal interfaces (which should all be SEPARATE
> networks, invisible from each other).
>
> Is this doable? (I hope someone has done this before). I would say I am
> a total newbie on this one.

Not only is it doable, it's fairly trivial if you've done a 1 in, 1 out
ipfw firewall before. You just take that idea and grow it a little.

> 2. Guides/Pointers on HOWTO configure this WRT to ipfw configuration.
>    Any minute gotchas/clues will be highly appreciated. URL links
>    pointing to people's experiences also welcome.

Just set the firewall to deny by default and add your rules really...
Here's an example that would allow FTP to one network and HTTP to
another...

${fwcmd} add allow tcp from any to 192.168.1.0/24 80 tcpflags syn keep-state in via 
xl0 
${fwcmd} add allow tcp from any to 192.168.2.0/24 21 tcpflags syn keep-state in via 
xl0 

You can also have rules between your networks as well... This one allows
all machines on one of the protected networks to ssh to all machines in
the other network.

${fwcmd} add allow tcp from 192.168.1.0/24 to 192.168.2.0/24 22 tcpflags syn 
keep-state in via xl1 

Note the following things about this rule...

1. I've specified a source range to allow. 
2. I've used a different interface. This guarantees that this traffic
   isn't coming in via the main external interface, but that it is
   coming in on one of the protected interfaces.

Of course, everywhere I've used an entire range here, you could use a
single IP range. Combining IP addresses with via interface statements
lets you be pretty flexible :)

Hope this helps some ? 

-- 
Wayne Pascoe
BSD is for people who love UNIX; Linux is for
people who hate Windows 
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to