Configure a router on FreeBSD using IPFW
Filed in archive FreeBSD by Michael Hammer on August 26, 2006
1. Install FreeBSD
(If u need help installing, Click here
2. Compile kernel with aditional options for ipfw router:
3. execute at prompt:
#cd /usr/src/sys/i386/conf
#cp GENERIC ROUTER
#edit ROUTER
4. ---- add in file ROUTER, at the end the following lines ----------
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options DUMMYNET
options HZ=1000
---- end of file router
5. execute at prompt:
# config ROUTER
# cd ../compile/ROUTER
#make depend
#make
#make install
6. ---- edit /etc/rc.conf ----------------------------------------------------
defaultrouter="86.124.80.1"
gateway_enable="YES"
hostname="router"
ifconfig_fxp0="inet 83.123.213.23 netmask 255.255.255.252"
ifconfig_fxp1="inet 10.0.0.1 netmask 255.255.255.0"
sshd_enable="YES"
natd_enable="YES"
natd_flags=""
named_enable="YES"
natd_interface="fxp0"
firewall_enable="YES"
firewall_quiet="NO"
firewall_script="/etc/router.firewall"
firewall_logging="YES"
inetd_enable="YES"
kern_securelevel_enable="NO"
---- end of rc.conf
7. ---- edit /etc/resolv.conf ------------------------------------------------
nameserver ip_of_your_dns
---- end of resolv.conf ---------------------------------------------
8. ---- edit /etc/router.firewall----------------------------------------------
fwcmd=/sbin/ipfw
$fwcmd add 00010 divert 8668 ip from any to any via fxp0
$fwcmd add 00020 allow ip from any to any via lo0
$fwcmd add 00030 deny ip from any to 127.0.0.0/8
$fwcmd add 00040 deny ip from 127.0.0.0/8 to any
$fwcmd add 50 allow ip from 10.0.0.2 to any
$fwcmd add 60 allow ip from any to 10.0.0.2
$fwcmd add 70 allow ip from 10.0.0.3 to any
$fwcmd add 80 allow ip from any to 10.0.0.3
$fwcmd add 90 allow ip from 10.0.0.4 to any
$fwcmd add 100 allow ip from any to 10.0.0.4
$fwcmd add 110 allow ip from 10.0.0.5 to any
$fwcmd add 120 allow ip from any to 10.0.0.5
$fwcmd add 35000 allow ip from me to any
$fwcmd add 35001 allow ip from any to me
---- end of router.firewall--------------------------------------------
Comments:
fpx0 is external interface, you should assign your public ip here
fxp1 is internal interface
fxp0 and fxp1 are intel network cards, you should use your own devices here, if you have other types of cards then your nic device will not be fxp.
To check the name of your devices type ifconfig or dmesg | more.
The file /etc/router.firewall is the firewall rule file, in this example I've allowed only ips 10.0.0.2-10.0.0.5 to use the router.
In the file /etc/resolv.conf you must put your dns servers, so instead of ip_of_your_dns here in example you should have the ip of your dns :D
After compiling the kernel don't forget to reboot.
(If u need help installing, Click here2. Compile kernel with aditional options for ipfw router:
3. execute at prompt:
#cd /usr/src/sys/i386/conf
#cp GENERIC ROUTER
#edit ROUTER
4. ---- add in file ROUTER, at the end the following lines ----------
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options DUMMYNET
options HZ=1000
---- end of file router
5. execute at prompt:
# config ROUTER
# cd ../compile/ROUTER
#make depend
#make
#make install
6. ---- edit /etc/rc.conf ----------------------------------------------------
defaultrouter="86.124.80.1"
gateway_enable="YES"
hostname="router"
ifconfig_fxp0="inet 83.123.213.23 netmask 255.255.255.252"
ifconfig_fxp1="inet 10.0.0.1 netmask 255.255.255.0"
sshd_enable="YES"
natd_enable="YES"
natd_flags=""
named_enable="YES"
natd_interface="fxp0"
firewall_enable="YES"
firewall_quiet="NO"
firewall_script="/etc/router.firewall"
firewall_logging="YES"
inetd_enable="YES"
kern_securelevel_enable="NO"
---- end of rc.conf
7. ---- edit /etc/resolv.conf ------------------------------------------------
nameserver ip_of_your_dns
---- end of resolv.conf ---------------------------------------------
8. ---- edit /etc/router.firewall----------------------------------------------
fwcmd=/sbin/ipfw
$fwcmd add 00010 divert 8668 ip from any to any via fxp0
$fwcmd add 00020 allow ip from any to any via lo0
$fwcmd add 00030 deny ip from any to 127.0.0.0/8
$fwcmd add 00040 deny ip from 127.0.0.0/8 to any
$fwcmd add 50 allow ip from 10.0.0.2 to any
$fwcmd add 60 allow ip from any to 10.0.0.2
$fwcmd add 70 allow ip from 10.0.0.3 to any
$fwcmd add 80 allow ip from any to 10.0.0.3
$fwcmd add 90 allow ip from 10.0.0.4 to any
$fwcmd add 100 allow ip from any to 10.0.0.4
$fwcmd add 110 allow ip from 10.0.0.5 to any
$fwcmd add 120 allow ip from any to 10.0.0.5
$fwcmd add 35000 allow ip from me to any
$fwcmd add 35001 allow ip from any to me
---- end of router.firewall--------------------------------------------
Comments:
fpx0 is external interface, you should assign your public ip here
fxp1 is internal interface
fxp0 and fxp1 are intel network cards, you should use your own devices here, if you have other types of cards then your nic device will not be fxp.
To check the name of your devices type ifconfig or dmesg | more.
The file /etc/router.firewall is the firewall rule file, in this example I've allowed only ips 10.0.0.2-10.0.0.5 to use the router.
In the file /etc/resolv.conf you must put your dns servers, so instead of ip_of_your_dns here in example you should have the ip of your dns :D
After compiling the kernel don't forget to reboot.
Permalink: Configure a router on FreeBSD using IPFW
Tags:
linux
freebsd
ipwf
router
fwcmd
fwcmd+allow
using+ipfw
freebsd+using
Trackback: http://www.creative-weblogging.com/cgi-bin/mt-tb.pl/34447
Mr Wong
| 
