FreeBSD Firewall/Router/Gateway questions. - bsd.freebsd.misc
This is a discussion on FreeBSD Firewall/Router/Gateway questions. - bsd.freebsd.misc ; neurosis wrote: > I didnt even realize that it was possible to get packets out to the net > through a gateway showing a private source address. I assumed that > anything coming out of your internal/private network showed your ...
 |
| | LinkBack | Thread Tools | Display Modes |
|
#11
11-11-2008, 06:59 PM
| |||
| |||
 Re: FreeBSD Firewall/Router/Gateway questions. > I didnt even realize that it was possible to get packets out to the net > through a gateway showing a private source address.  I assumed that> anything coming out of your internal/private network showed your > external address and not your private internal one. In the case of using > a router for your home network I assume that it nat's everything that > leaves the router out in to the real world? Well, routers are generic devices. You need routers even if your large company use private ip addresses on their network, right? So any router can be configured to route any ip address range. > What would be a situation > that packets would leave a machine to the real world using a private ip > source address? One or more incorrectly configured routers. Normally a router on the internet will not have routes for the private ip address range. In effect, all packets received with a private ip address will be "dropped on the floor". Some routers are also configuredc to filter away such traffic (often to decrease load on the router). And usually you will have rules in your firewall to block outgoing pacjets with a prvate ip address. For example: # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} HTH -- Torfinn Ingolfsen, Norway  |
|
#12
11-14-2008, 10:05 AM
| |||
| |||
| Re: FreeBSD Firewall/Router/Gateway questions.
Neurosis > > Well, you could also learn natd + ipfw first and the pf later. > > Ive been reading every single web page that I can find on PF and have > been through about 1000 tutorials now. Far too much reading ... You need in /etc/rc.conf gateway_enable="YES" so that packets be routed between interfaces of your router. For doing natting on say interface fxp0 you need *one* line in /etc/pf.conf such as: nat on fxp0 from 192.168.1.0/24 to any -> 134.157.10.41 Here i have a private network 192.168.1.0/24 on a second interface which is natted to the "official" interface 134.157.10.41 of the machine. Finished. By the way, i have a web server on the same machine operating in a jail at address 134.157.10.181 So that packets get redirected to that jail, only one line is sufficient: rdr pass inet proto tcp from any to 134.157.10.41 port = http -> 134.157.10.181 port 80 Then i have the usual firewalling stuff in pf.conf. -- Michel TALON |
|
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
All times are GMT -4. The time now is 05:50 AM.
