now i'm trying to set up a gateway box using ipfw/natd. i have 2 test machines -
machine 1 has two nics, one's an integrated intel 1000 pro, the other is an old pci
3com 3c905b. machine 1 has a static ip and hostname. machine 2 is virtually identical
except it has only one nic - the intel 1000 pro integrated. machine 2 also has a
static ip and hostname. i'd like machine 1 to act as a gateway/packet filtering
firewall/natd box. i'd like to hook up machine 2 to the internal network interface
card of machine 1 and be able to filter/log/divert packets bound for machine 2 through
ipfw/natd on machine 1.
i've been basically following the instructions at
http://www.mostgraveconcern.com/freebsd/ for 'setting up a dual-homed host'
- on machine 1, ifconfig returns
xl0: flags=8843 mtu 1500
options=3
inet 129.x.x.35 netmask 0xff00 broadcast 129.x.x.255
inet6 fe80::210:5aff:fec6:8bcb%xl0 prefixlen 64 scopeid 0x1
ether 00:10:5a:c6:8b:cb
media: Ethernet autoselect (100baseTX )
status: active
xl1: flags=8843 mtu 1500
options=3
inet 10.20.155.1 netmask 0xff00 broadcast 10.20.155.255
inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2
ether 00:06:5b:80:98:5b
media: Ethernet autoselect (none)
status: no carrier
i'd like xl0 to be my external nic, and xl1 to be my internal nic
-on machine 1, my /etc/rc.conf reads
ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0"
ifconfig_xl1="inet 10.20.155.1 netmask 255.255.255.0"
gateway_enable="YES"
#required for ipfw support
firewall_enable="YES"
firewall_script="/etc/rc.ipfw"
firewall_type="open"
firewall_quiet="NO" #change to yes once happy with rules
firewall_logging_enable="YES"
#extra firewalling options
log_in_vain="YES"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
natd_program="/sbin/natd"
natd_enable="YES"
natd_interface="xl0"
natd_flags="-f /etc/natd.conf"
- machine 1's kernel has been recompiled with the following options
#to enable ipfirewall with default to deny all packets
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
#to hide the firewall from traceroute
options IPSTEALTH
options IPDIVERT
#to hide from nmap
options TCP_DROP_SYNFIN
- machine's firewall_script, /etc/rc.ipfw, is taken from the tutorial mostly verbatim,
the only part of it i changed was
# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
# Firewall program
fwcmd="/sbin/ipfw"
# Outside interface network and netmask and ip
oif="xl0"
onet="129.x.x.1"
omask="255.255.255.0"
oip="129.x.x.35"
# Inside interface network and netmask and ip
iif="xl1"
inet="10.20.155.0"
imask="255.255.255.0"
iip="10.20.155.1"
# My ISP's DNS servers
dns1="129.x.x.1"
dns2="165.x.x.21"
# Flush previous rules
${fwcmd} -f flush
# Allow loopbacks, deny imposters
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via ${natd_interface}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169