I will have to be honest and say there is no definitive reason why I use ipfw and natd instead of the built in ppp filters. From the discussions I have had with people the consensus seems to be that while ipfw is certainly more powerful and more configurable than the ppp filters, what it makes up for in functionality it loses in being easy to customize. One of the reasons I use it is because I prefer firewalling to be done at a kernel level rather than by a userland program.
6.2. I get messages like ``limit 100 reached on entry 2800'' and after that I never see more denies in my logs. Is my firewall still working?
This merely means that the maximum logging count for the rule has been reached. The rule itself is still working, but it will no longer log until such time as you reset the logging counters. You can reset the logging counters with the ipfw resetlog command. Alternatively, you may increase the log limit in your kernel configuration with the IPFIREWALL_VERBOSE_LIMIT option as described above. You may also change this limit (without recompiling your kernel and having to reboot) by using the net.inet.ip.fw.verbose_limit sysctl(8) value.
6.3. If I am using private addresses internally, such as in the 192.168.0.0 range, could I add a command like $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via tun0 to the firewall rules to prevent outside attempts to connect to internal machines?
The simple answer is no. The reason for this is that natd is doing address translation for anything being diverted through the tun0 device. As far as it is concerned incoming packets will speak only to the dynamically assigned IP address and not to the internal network. Note though that you can add a rule like $fwcmd add deny all from 192.168.0.4:255.255.0.0 to any via tun0 which would limit a host on your internal network from going out via the firewall.
6.4. There must be something wrong. I followed your instructions to the letter and now I am locked out.
This tutorial assumes that you are running userland-ppp, therefore the supplied ruleset operates on the tun0 interface, which corresponds to the first connection made with ppp(8) (a.k.a. user-ppp). Additional connections would use tun1, tun2 and so on.
You should also note that pppd(8) uses the ppp0 interface instead, so if you start the connection with pppd(8) you must substitute tun0 for ppp0. A quick way to edit the firewall rules to reflect this change is shown below. The original ruleset is backed up as fwrules_tun0.
% cd /etc/firewall /etc/firewall% su Password: /etc/firewall# mv fwrules fwrules_tun0 /etc/firewall# cat fwrules_tun0 | sed s/tun0/ppp0/g > fwrules
To know whether you are currently using ppp(8) or pppd(8) you can examine the output of ifconfig(8) once the connection is up. E.g., for a connection made with pppd(8) you would see something like this (showing only the relevant lines):
% ifconfig (skipped...) ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1524 inet xxx.xxx.xxx.xxx --> xxx.xxx.xxx.xxx netmask 0xff000000 (skipped...)
On the other hand, for a connection made with ppp(8) (user-ppp) you should see something similar to this:
% ifconfig (skipped...) ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 (skipped...) tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1524 (IPv6 stuff skipped...) inet xxx.xxx.xxx.xxx --> xxx.xxx.xxx.xxx netmask 0xffffff00 Opened by PID xxxxx (skipped...)
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the
documentation
before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |