Using IPFW/NAT with multiport PCI cards
Dear Ladies and Gentlemen, I am writing to request for advise/recommendations on the subject. I've been tasked to build a router/firewall based on FreeBSD. I'd like to use 5.2-RELEASE. Now my only problem is that I have played a little with ipfw in a situation where I have just two interfaces, 1 external and 1 internal. My current requirement however involves one external interface and four (or more) internal interfaces (which should all be SEPARATE networks, invisible from each other). Is this doable? (I hope someone has done this before). I would say I am a total newbie on this one. I am looking for recommendations on the following aspects: 1. Known compatible quad port PCI ethernet cards. The cost is a factor, but perhaps may not be very important as compared to functionality/stability. 2. Guides/Pointers on HOWTO configure this WRT to ipfw configuration. Any minute gotchas/clues will be highly appreciated. URL links pointing to people's experiences also welcome. Thanking you in advance. -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Anyone who uses the phrase easy as taking candy from a baby has never tried taking candy from a baby. -- Robin Hood ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Using IPFW/NAT with multiport PCI cards
I am writing to request for advise/recommendations on the subject. I've been tasked to build a router/firewall based on FreeBSD. I'd like to use 5.2-RELEASE. Now my only problem is that I have played a little with ipfw in a situation where I have just two interfaces, 1 external and 1 internal. My current requirement however involves one external interface and four (or more) internal interfaces (which should all be SEPARATE networks, invisible from each other). Sure, this is possible. To tell you the truth, if you're not sure how to do it, the cheapest and easiest way would be to just get 4 ethernet cards for the internal interfaces. However, the most dynamic way would be to get an ethernet card that supports 802.1q or Cisco ISL, which are switch trunking protocols. You could then separate the networks into different virtual LANs in a switch, that was connected to the 802.1q NIC. That NIC would then have an IP address from each of the networks. I'm not sure how 802.1q can be configured in FreeBSD, but that shouldn't be too hard - the more difficult part should be configuring the switch. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Using IPFW/NAT with multiport PCI cards
On Tue, Mar 30, 2004 at 11:06:16AM +0300, Odhiambo Washington wrote: Now my only problem is that I have played a little with ipfw in a situation where I have just two interfaces, 1 external and 1 internal. My current requirement however involves one external interface and four (or more) internal interfaces (which should all be SEPARATE networks, invisible from each other). Is this doable? (I hope someone has done this before). I would say I am a total newbie on this one. Not only is it doable, it's fairly trivial if you've done a 1 in, 1 out ipfw firewall before. You just take that idea and grow it a little. 2. Guides/Pointers on HOWTO configure this WRT to ipfw configuration. Any minute gotchas/clues will be highly appreciated. URL links pointing to people's experiences also welcome. Just set the firewall to deny by default and add your rules really... Here's an example that would allow FTP to one network and HTTP to another... ${fwcmd} add allow tcp from any to 192.168.1.0/24 80 tcpflags syn keep-state in via xl0 ${fwcmd} add allow tcp from any to 192.168.2.0/24 21 tcpflags syn keep-state in via xl0 You can also have rules between your networks as well... This one allows all machines on one of the protected networks to ssh to all machines in the other network. ${fwcmd} add allow tcp from 192.168.1.0/24 to 192.168.2.0/24 22 tcpflags syn keep-state in via xl1 Note the following things about this rule... 1. I've specified a source range to allow. 2. I've used a different interface. This guarantees that this traffic isn't coming in via the main external interface, but that it is coming in on one of the protected interfaces. Of course, everywhere I've used an entire range here, you could use a single IP range. Combining IP addresses with via interface statements lets you be pretty flexible :) Hope this helps some ? -- Wayne Pascoe BSD is for people who love UNIX; Linux is for people who hate Windows ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]