View Single Post
  #5   (View Single Post)  
Old 12th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Quote:
Originally Posted by J65nko View Post
pf does network address/port translation as well as redirects. So there is no need to use natd at all.

I have a hard time understanding your problem Can you post a simple network diagram of what you are trying to do.

BTW adding some whitespace, e.g. hitting return once in a while, will make your posts more easy to understand

Haha! Sorry for that. It was late and I was trying to relay what I could without losing my train of thought. I was a bit frustrated too at my problem. I'll try to explain and sorry if this is a bit long winded.

The problem with my connection was DNS. I could ping but not resolve anything coming from inside of the private network. The freebsd box is hooked directly up to my isp and works fine.

Today to fix my problem, I brought a laptop home from work. It allows me to troubleshoot allot easier than trying to send commands from my router.

Today I hooked my router up to my ISP like normal.

I put the FreeBSD box behind the router and set up ext_if to DHCP.

I set int_if to 10.1.10.1.

I rebooted the FreeBSD machine and loaded the firewall and rules for nat (lack of rules is more like it <GRIN>

I set my laptop up using 10.1.10.2 255.255.255.0 Gateway 10.1.10.1.

Instead of using the gateway ip for DNS, I used what my isp sent to my router. That solved my DNS problem.

I can now traverse the internet from my laptop connected to the FreeBSD Gateway. Now I am going to add rules and will be able to test them before I set my FreeBSD firewall up in front of the router.

My goal is to have a setup like this.

Internet <-> FreeBSD Gateway <-> Linksys Router <-> Private Network

My FreeBSD Gateway will be running three jails. Mail, WWW, FTPD
My internal network should be completely protected if I do this right and not allowing any connections in through the router. I want to limit connections in and out of each jail and also in and out of the FreeBSD Gateway itself.

I do have one question however. Is it possible to write a rule that allows all traffic to pass out through the Gateway from 10.1.10.2 but not in?

pass out quick on $ext_if from 10.1.10.2 to any flags S/SA modulate state <-- would that rule work?

That is my next step. I also need to make sure to open SSH to the Gateway before blocking anything so if I screw up I can ssh in and fix it.

Enough for now. Thanks for your help.

Last edited by neurosis; 12th November 2008 at 05:25 AM.
Reply With Quote