bumbler
December 8th, 2004, 15:33
FreeBSD box uses external modem on /dev/cuaa0 to connect. Got a switch on fxp0, and the XP box is connected to that. I have enabled ppp -nat with the proper lines from the Handbook. Alright, I got the machines to communicate. Now I can't see to give the XP client permission to pass through my firewall. I simply copied the model firewall provided by the articles for Dialup Firewall in the system docs. Here's the rules:


00100 check-state
00200 deny ip from any to any in via tun0 not verrevpath
00300 allow ip from me to any out via tun0 keep-state
00400 deny tcp from any to any established in via tun0
00500 allow ip from any to any via fxp0
00600 allow ip from any to any via lo0
00700 deny ip from any to 127.0.0.0/8
00800 deny ip from 127.0.0.0/8 to any
00900 allow icmp from any to any icmptypes 0,3,8,11,12,13,14
01000 deny log ip from any to any


I still see my firewall blocking the IP of the XP box (192.168.1.2). That's supposed to be handled by rule 00500, right? On top of that, there are some confusing connection attempts from the XP which is seen by the firewall as having changed to the dynamic IP assigned by my ISP, and it blocks that. I have no problem surfing the Net from my machine, but I can't get traffic for the XP client.

Any ideas how I can adjust this to work?

Bumbler

bsdjunkie
December 8th, 2004, 16:11
Is NAT setup and enabled on the machine? Looks like the following must be in /etc/rc.d as well:

natd_enable="YES" # Enable NATD function
natd_interface="rl0" # interface name of public Internet NIC
natd_flags="-dynamic -m" # -m = preserve port numbers if possible

bumbler
December 8th, 2004, 16:49
No, I am using "ppp -nat" with nat setup in ppp.conf. I'm trying to avoid running a full-blown natd config for now. That's much more complicated. If I can't conquer this -- presumably much simpler -- I'm sure I'll screw up natd.

bsdjunkie
December 8th, 2004, 17:02
Truthfully, I think trying to do nat in ppp is making it more difficult =) Not sure where to point you on this one. Have you thought of using pf on freebsd instead of ipfw? Im pretty sure that would be more straight forward.

bumbler
December 8th, 2004, 18:41
Well, I don't even understand ipfw. I got my firewall pretty much verbatim from the installed documentation. The problem is I have little idea what it is that most machines have to say to each other, and how they say it. I have a vague idea what to block and not block, but little idea why. Telling me I need to learn yet another firewall utility is pretty pointless, when I really don't know the first one. Are you suggesting pf is easier for the clueless to grasp?

For now, it's a moot point. While my firewall continues to block all traffic from the XP box, I noticed unexpected traffic from her machine to port 80 on numerous IPs, but the sending IP was different even coming over fxp0 interface. Whatever process is doing this is using the IP supplied me temporarily by my ISP. All the expected traffic is coming from the IP I assigned to the XP box. Looks like a virus to me, so I'll be scanning for awhile....

Bumbler