RE: Using IPFW/NAT with multiport PCI cards

[Toni Heinonen]

 I am writing to request for advise/recommendations on the 
 subject. I've
 been tasked to build a router/firewall based on FreeBSD. I'd 
 like to use
 5.2-RELEASE.
 
 Now my only problem is that I have played a little with ipfw in a
 situation where I have just two interfaces, 1 external and 1 internal.
 My current requirement however involves one external interface and
 four (or more) internal interfaces (which should all be SEPARATE
 networks, invisible from each other).

Sure, this is possible. To tell you the truth, if you're not sure how to do it, the 
cheapest and easiest way would be to just get 4 ethernet cards for the internal 
interfaces. However, the most dynamic way would be to get an ethernet card that 
supports 802.1q or Cisco ISL, which are switch trunking protocols. You could then 
separate the networks into different virtual LANs in a switch, that was connected to 
the 802.1q NIC. That NIC would then have an IP address from each of the networks.

I'm not sure how 802.1q can be configured in FreeBSD, but that shouldn't be too hard - 
the more difficult part should be configuring the switch.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Using IPFW/NAT with multiport PCI cards

[Wayne Pascoe]

On Tue, Mar 30, 2004 at 11:06:16AM +0300, Odhiambo Washington wrote:

 Now my only problem is that I have played a little with ipfw in a
 situation where I have just two interfaces, 1 external and 1 internal.
 My current requirement however involves one external interface and
 four (or more) internal interfaces (which should all be SEPARATE
 networks, invisible from each other).

 Is this doable? (I hope someone has done this before). I would say I am
 a total newbie on this one.

Not only is it doable, it's fairly trivial if you've done a 1 in, 1 out
ipfw firewall before. You just take that idea and grow it a little.

 2. Guides/Pointers on HOWTO configure this WRT to ipfw configuration.
Any minute gotchas/clues will be highly appreciated. URL links
pointing to people's experiences also welcome.

Just set the firewall to deny by default and add your rules really...
Here's an example that would allow FTP to one network and HTTP to
another...

${fwcmd} add allow tcp from any to 192.168.1.0/24 80 tcpflags syn keep-state in via 
xl0 
${fwcmd} add allow tcp from any to 192.168.2.0/24 21 tcpflags syn keep-state in via 
xl0 

You can also have rules between your networks as well... This one allows
all machines on one of the protected networks to ssh to all machines in
the other network.

${fwcmd} add allow tcp from 192.168.1.0/24 to 192.168.2.0/24 22 tcpflags syn 
keep-state in via xl1 

Note the following things about this rule...

1. I've specified a source range to allow. 
2. I've used a different interface. This guarantees that this traffic
   isn't coming in via the main external interface, but that it is
   coming in on one of the protected interfaces.

Of course, everywhere I've used an entire range here, you could use a
single IP range. Combining IP addresses with via interface statements
lets you be pretty flexible :)

Hope this helps some ? 

-- 
Wayne Pascoe
BSD is for people who love UNIX; Linux is for
people who hate Windows 
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]