FreeBSD Firewall/Router/Gateway questions. - BSD

This is a discussion on FreeBSD Firewall/Router/Gateway questions. - BSD ; Ive been playing with this for a few days and am trying to get a good understanding of what I am doing before I get too far in to this to make sure that I dont end up with a ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: FreeBSD Firewall/Router/Gateway questions.

  1. FreeBSD Firewall/Router/Gateway questions.

    Ive been playing with this for a few days and am trying to get a good
    understanding of what I am doing before I get too far in to this to make
    sure that I dont end up with a big mess. First i'll try to explain what
    I am trying to do.

    FreeBSD Firewall/Router/Gateway

    Linksys Router

    Internal Network

    The FreeBSD box is connect to my isp and then to my Linksys Router. I
    would like to use it as a Gateway to the internet. My router takes care
    of my internal network. Getting the Freebsd box connected to the
    internet and the internal network behind the Router is simple. Where I
    am a little confused is connecting the Linksys router to the FreeBSD box
    and having it be able to make it out in to the real world. Ive read the
    handbook and a few different write ups and they all seem to differ and
    dont seem to be like my setup. The writeups ive seen leave the Linksys
    router out and use a hub with freebsd managing the internal network
    rather than a router. In their cases they all use ipfw combined with
    natd to get the network up and running. My confusion, is with the setup
    im wanting do I need natd since the traffic is straight through to only
    the router and not redirecting traffic to multiple ip's?

    So far all I have set up is
    ________________________________
    Freebsd box
    gateway_enable="YES"

    NIC1 = DHCP -> Internet
    NIC2 = 10.1.10.1
    ________________________________
    Linksys Router
    10.1.10.2
    gateway 10.1.10.1

    The internal network is regulated by the router and is working fine.
    Im not sure what to set as the default gateway on the freebsd box if
    anything since the ip assigned by my isp in not static. I will worry
    about setting up a firewall later once I understand how to get the
    router connected out through the freebsd box. I want to use PF for the
    firewall rather than ipfw which is also a bit of a road block since all
    of the writeups i find including the one in the book is using natd +
    ipfw.

    Sorry, and I know this is probably all very simple for people who have a
    good understanding of networking. This is just a project that I am
    working on to get a better understanding of it myself.

  2. Re: FreeBSD Firewall/Router/Gateway questions.

    usenetforall wrote:
    > Linksys Router


    Is this Linksys router a wireless router?
    If not, you can just replace it with a switch (connected to the FreeBSD
    gateway / router instead.
    The FreeBSD box can do DHCP for the internal network also.


    If the Linksys router is a wireless router, you could set it up as an
    access point instead of a router, that will save som trouble.

    > natd to get the network up and running. My confusion, is with the setup
    > im wanting do I need natd since the traffic is straight through to only
    > the router and not redirecting traffic to multiple ip's?


    Do you have multiple machines on your internal network?
    Do they have private ip addresses[1] (as opposed to public ip addresses[2])?


    > Freebsd box
    > gateway_enable="YES"
    >
    > NIC1 = DHCP -> Internet
    > NIC2 = 10.1.10.1


    I guess you are getting a public ip address from you ISP.
    The internal ip address you use is from a range of private ip addresses.
    Nothing wrong with that. But private ip addresses can't travel on the
    internet - they are not allowed to.
    As long as your internal network is using private ip addresses, you must
    have nat[3] somewhere before the packets leave your private network.


    > router connected out through the freebsd box. I want to use PF for the
    > firewall rather than ipfw which is also a bit of a road block since all
    > of the writeups i find including the one in the book is using natd +
    > ipfw.


    I believe there are several pf tutorials around. Have searched for the
    right thing?
    FWIW, natd + ipfw works fine for me.

    References:
    1) http://en.wikipedia.org/wiki/Private_network
    2) http://en.wikipedia.org/wiki/IP_address
    2) http://en.wikipedia.org/wiki/Network...ss_translation

    HTH
    --
    Torfinn Ingolfsen,
    Norway

  3. Re: FreeBSD Firewall/Router/Gateway questions.

    In article <4915cd3c$1@news.broadpark.no>, tingo@start.no says...
    > usenetforall wrote:
    > > Linksys Router

    >
    > Is this Linksys router a wireless router?
    > If not, you can just replace it with a switch (connected to the FreeBSD
    > gateway / router instead.
    > The FreeBSD box can do DHCP for the internal network also.
    >
    >
    > If the Linksys router is a wireless router, you could set it up as an
    > access point instead of a router, that will save som trouble.


    Yes. The linksys is a wireless Router.



    > Do you have multiple machines on your internal network?
    > Do they have private ip addresses[1] (as opposed to public ip addresses[2])?



    I do have multiple machines behind the linksys router. Two are wireless
    and two are not. This home network of mine is mostly just a toy. Two are
    running FreeBSD and two are running Windows XP. The network behind the
    linksys works great and hasnt been a problem.



    > I guess you are getting a public ip address from you ISP.
    > The internal ip address you use is from a range of private ip addresses.
    > Nothing wrong with that. But private ip addresses can't travel on the
    > internet - they are not allowed to.
    > As long as your internal network is using private ip addresses, you must
    > have nat[3] somewhere before the packets leave your private network.



    This is exactly right. The reason for my confusion is the area of the
    FreeBSD handbook that starts to talk about routing. I dont want to paste
    the whole thing here but if I understand it right, I can set up a route
    that will allow traffic to pass between interfaces.
    http://www.freebsd.org/doc/en/books/...k-routing.html
    The only time I should need natd is if I want to forward ports to my
    internal network? The routing is where I am mostly confused. I have the
    reading comprehension of a three year old unfortunately so I struggle a
    bit understanding exactly what I am reading. I usually do better with
    trial and error but this is a situation that I would like to know what I
    am doing before I mess around as it will lock me out of the internet
    until I get it figured out.



    > I believe there are several pf tutorials around. Have searched for the
    > right thing?
    > FWIW, natd + ipfw works fine for me.


    I am very close to giving up and just going with natd + ipfw mostly
    because there are more and better tutorials for this set up. I really
    would rather learn and use PF though. From what I understand, PF can not
    only take care of the firewall aspect of what I am trying to do, but it
    can also take care of all of the nat tasks and then some as well. I have
    allot of documentation on PF and plan on hitting the books soon but I
    would like to fully understand one thing at a time and for now I would
    just like to know that I understand what makes my network tic including
    the routing/gateway aspect. It may come in usefull to me some day. Plus
    im just curious and apparently like self abuse.

    Thanks.

    > References:
    > 1) http://en.wikipedia.org/wiki/Private_network
    > 2) http://en.wikipedia.org/wiki/IP_address
    > 2) http://en.wikipedia.org/wiki/Network...ss_translation


    Im going to check these out. Thanks again.

  4. Re: FreeBSD Firewall/Router/Gateway questions.

    Dave wrote:
    > This is exactly right. The reason for my confusion is the area of the
    > FreeBSD handbook that starts to talk about routing. I dont want to paste
    > the whole thing here but if I understand it right, I can set up a route
    > that will allow traffic to pass between interfaces.


    Yes, that is correct. However, re-read my note in the previous posting:
    packets with private ip addresses in them are not allowed to travel on
    the internet.
    This restriction is enforced by all routers on the Internet.

    > The only time I should need natd is if I want to forward ports to my
    > internal network? The routing is where I am mostly confused. I have the


    No, See above. The machines on your internal network have private ip
    addresses, so you _will_ need nat if you are going to send any traffic
    to the Internet.
    Like browsing a web page, sending mail, and so on.

    Nat works like this: outbound packets have their source ip address
    changed so it looks like they are comning from the nat gateway. On
    return, inbound packets are changed back, so that they will be delivered
    to the correct internal host.

    > I am very close to giving up and just going with natd + ipfw mostly
    > because there are more and better tutorials for this set up. I really
    > would rather learn and use PF though. From what I understand, PF can not


    Well, you could also learn natd + ipfw first and the pf later.
    --
    Torfinn Ingolfsen,
    Norway

  5. Re: FreeBSD Firewall/Router/Gateway questions.

    In article <4917f275@news.broadpark.no>, tingo@start.no says...
    > Dave wrote:



    > No, See above. The machines on your internal network have private ip
    > addresses, so you _will_ need nat if you are going to send any traffic
    > to the Internet.
    > Like browsing a web page, sending mail, and so on.


    > Nat works like this: outbound packets have their source ip address
    > changed so it looks like they are comning from the nat gateway. On
    > return, inbound packets are changed back, so that they will be delivered
    > to the correct internal host.


    Ok, here is a bit of a techincal question about nat, which I am starting
    to understan finaly by the way . If I ever get this to work, My
    network behind my router gets nat'ed at the router. Then with my setup,
    it will get nat'ed again when routing through the freebsd firewall and
    out in to the real world. Will this double nat'ing cause problems? This
    may be a dumb question but I had to ask.



    > Well, you could also learn natd + ipfw first and the pf later.


    Ive been reading every single web page that I can find on PF and have
    been through about 1000 tutorials now. OpenBSD's web site actually has
    some very good documentation and a great example on nat using PF and I
    think that I am beginning to understand it although the rules are going
    to take a bit. I can use some example configs at first until I get a
    better understanding to just allow all traffic out and start to restrict
    what traffic comes in. I'll keep posting on here as I progress.

    My main problem now is just getting the network working. I cant seem to
    get the FreeBSD box to see the router connected to my second nic. I can
    ping the freebsd box 10.1.10.1 from the router (i have the router set to
    10.1.10.2) and I can get the router to ping itself. I can also get the
    Freebsd box to ping 10.1.10.1 but cant get a reply from 10.1.10.2. I
    think that it is a routing problem. I dont believe that I have a routing
    table set to allow the Freebsd box to see the internal network. I'll
    have to fix this. I also havent been able to get the router to access
    anything outside of the network even with a wide open firewall which
    means that I still must not understand the nat using PF 100% yet but I
    need to take care of one problem at a time. Im going to take my laptop
    home today and set up my freebsd firewall behind the router since i know
    that it can connect out and allows connections through, and try to the
    the laptop routed through the freebsd box and out in to the real world.
    Its too difficult to trouble shoot using the router as the internal
    network.

  6. Re: FreeBSD Firewall/Router/Gateway questions.

    Chris Jewell wrote:
    >> This restriction is enforced by all routers on the Internet.

    >
    > Your experience certainly differs from mine. The FreeBSD firewall for


    I guess I live in a sheltered place on the Internet :-) Or perhaps
    Norwegian ISP's are more vigilant in enforcing those standards?
    I was in doubt when I wrote that sentence, but I figured writing "should
    be enforced" would confuse the OP even more.

    > I'm hoping that Mr Cerf's crystal ball is correct, and that the IPv6
    > transition will happen in 2009 or 2010,


    I wouldn't bet on it.
    Where are the how-tos and guides for running an IPv6 setup?
    Wherer are the how-to for setting up and running an IPv6 firewall?

    > because IPv4 address space will have been exhausted by then.


    Oh, I guess we will manage (ok, kludge) us along still.
    With the recent economic situation, where are all the devices that will
    exhaust it?
    ISP's (at least in my part of the world) are happy to sell NAT
    solutions, and have no immediate plans or even roadmaps for a transition
    to IPv6.

    > Then the rest of us can forget about NAT, leaving it to those who think that it is a substitute for
    > firewall filtering.


    Well, for my own part, nat and the division between private and public
    ip addresses are something I am used to.
    I still need that firewall how-to: how do I understand, setup and run an
    IPv6 network and firewall?
    --
    Torfinn Ingolfsen,
    Norway

  7. Re: FreeBSD Firewall/Router/Gateway questions.

    Neurosis wrote:
    > Ok, here is a bit of a techincal question about nat, which I am starting
    > to understan finaly by the way . If I ever get this to work, My
    > network behind my router gets nat'ed at the router. Then with my setup,
    > it will get nat'ed again when routing through the freebsd firewall and
    > out in to the real world. Will this double nat'ing cause problems? This
    > may be a dumb question but I had to ask.


    It can cause problems. I am using a double nat setup and it works for
    me. YMMV.
    My guess is that it depends very much on the protocols you need to pass
    through that setup.

    > My main problem now is just getting the network working. I cant seem to
    > get the FreeBSD box to see the router connected to my second nic. I can
    > ping the freebsd box 10.1.10.1 from the router (i have the router set to
    > 10.1.10.2) and I can get the router to ping itself. I can also get the
    > Freebsd box to ping 10.1.10.1 but cant get a reply from 10.1.10.2. I
    > think that it is a routing problem. I dont believe that I have a routing


    Use 'netstat -r' (or even 'netstat -rn') to check your routing tables.
    HTH
    --
    Torfinn Ingolfsen,
    Norway

  8. Re: FreeBSD Firewall/Router/Gateway questions.

    On Tue, 11 Nov 2008 17:20:21 +0100, Torfinn Ingolfsen wrote:

    > Chris Jewell wrote:
    >>> This restriction is enforced by all routers on the Internet.

    >>
    >> Your experience certainly differs from mine. The FreeBSD firewall for

    >
    > I guess I live in a sheltered place on the Internet :-) Or perhaps
    > Norwegian ISP's are more vigilant in enforcing those standards? I was in
    > doubt when I wrote that sentence, but I figured writing "should be
    > enforced" would confuse the OP even more.


    It really does seem to depend on where in the Internet one is connected.

    >> I'm hoping that Mr Cerf's crystal ball is correct, and that the IPv6
    >> transition will happen in 2009 or 2010,

    >
    > I wouldn't bet on it.


    I'd bet against it.

    > Where are the how-tos and guides for running an IPv6 setup? Wherer are
    > the how-to for setting up and running an IPv6 firewall?


    Well, you could set the ball rolling :-)

    >> because IPv4 address space will have been exhausted by then.

    >
    > Oh, I guess we will manage (ok, kludge) us along still. With the recent
    > economic situation, where are all the devices that will exhaust it?
    > ISP's (at least in my part of the world) are happy to sell NAT
    > solutions, and have no immediate plans or even roadmaps for a transition
    > to IPv6.


    More importantly, where are the affordable IPv6 devices? Consumer
    routers on the end of ADSL or cable connections are the majority of
    Internet connected devices. I don't know of any that are IPv6 enabled,
    and most IPv6 hardware is still aimed at medium-large corporations.

    That said, a lot of ISPs are IPv6 enabled.

    >> Then the rest of us can forget about NAT, leaving it to those who
    >> think that it is a substitute for
    >> firewall filtering.

    >
    > Well, for my own part, nat and the division between private and public
    > ip addresses are something I am used to. I still need that firewall
    > how-to: how do I understand, setup and run an IPv6 network and firewall?


    The "people think NAT is a substitute for filtering" argument is a straw
    man. At the same time, NAT allows one to do the filtering effectively
    and simply at the gateway, whereas IPv6 seems to need it to be done at
    every endpoint.

    And how many IPv6 nameservers are available? The transition isn't going
    to happen until the infrastructure is there to support it.

  9. Re: FreeBSD Firewall/Router/Gateway questions.

    In article <7rhc6f3uyq.fsf@pileated.puffin.com>, chrisj@puffin.com
    says...
    > Torfinn Ingolfsen writes:



    > Your experience certainly differs from mine. The FreeBSD firewall for
    > my household network rejects thousands of incoming packets every day
    > with RFC1918 source addresses. This condition has persisted for a
    > decade or so, through about 6 different ISPs. IMHO the routers on the
    > Internet should block those packets, and I think I even recall a BCP
    > RFC saying that they should, but my experience is that they don't.


    I didnt even realize that it was possible to get packets out to the net
    through a gateway showing a private source address. I assumed that
    anything coming out of your internal/private network showed your
    external address and not your private internal one. In the case of using
    a router for your home network I assume that it nat's everything that
    leaves the router out in to the real world? What would be a situation
    that packets would leave a machine to the real world using a private ip
    source address?

    sorry for the newbie networking questions.



  10. Re: FreeBSD Firewall/Router/Gateway questions.

    Mark Madsen wrote:
    > Well, you could set the ball rolling :-)


    Most likely I will not. I get a headache everytime I try to think about
    how I would get myself an IPv6 setup.

    > More importantly, where are the affordable IPv6 devices? Consumer
    > routers on the end of ADSL or cable connections are the majority of
    > Internet connected devices. I don't know of any that are IPv6 enabled,


    Agreed.

    > That said, a lot of ISPs are IPv6 enabled.


    Well, not so here in Norway - the computer / IT press have checked.

    > The "people think NAT is a substitute for filtering" argument is a straw
    > man. At the same time, NAT allows one to do the filtering effectively
    > and simply at the gateway, whereas IPv6 seems to need it to be done at
    > every endpoint.


    A firewall on every machine? Instead of one firewall that separates "my"
    network from the Internet? I guess that way of thinking will scare away
    a few people.


    > And how many IPv6 nameservers are available? The transition isn't going
    > to happen until the infrastructure is there to support it.


    Well, many root name servers are ready, but does that help at all?
    At least 9 of the 13 root servers[1] are IPv6 enabled, if we are to
    believe Wikipedia.

    References:
    1) http://en.wikipedia.org/wiki/Root_nameserver
    --
    Torfinn Ingolfsen,
    Norway

  11. Re: FreeBSD Firewall/Router/Gateway questions.

    neurosis wrote:
    > I didnt even realize that it was possible to get packets out to the net
    > through a gateway showing a private source address. I assumed that
    > anything coming out of your internal/private network showed your
    > external address and not your private internal one. In the case of using
    > a router for your home network I assume that it nat's everything that
    > leaves the router out in to the real world?


    Well, routers are generic devices. You need routers even if your large
    company use private ip addresses on their network, right?
    So any router can be configured to route any ip address range.

    > What would be a situation
    > that packets would leave a machine to the real world using a private ip
    > source address?


    One or more incorrectly configured routers.
    Normally a router on the internet will not have routes for the private
    ip address range.
    In effect, all packets received with a private ip address will be
    "dropped on the floor".
    Some routers are also configuredc to filter away such traffic (often to
    decrease load on the router).

    And usually you will have rules in your firewall to block outgoing
    pacjets with a prvate ip address. For example:
    # Stop RFC1918 nets on the outside interface
    ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
    ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
    ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}


    HTH
    --
    Torfinn Ingolfsen,
    Norway

+ Reply to Thread