Setting up IPNAT for a Gateway Machine

Since my computer will be home for the summer I know my "pops" will need to use his computer and get on the net. I use FreeBSD and he uses Win2k. We have one internet connection and I need to access my box when I am away from home.

This is my first attempt to actually implement NAT. I have read Securing BSD 4.6 doc when I first installed 4.9 so I'll will refer to it while I setup this box to do my Network Address Translation.

I have a Linksys, EtherFast 10/100 Auto-Sensing 5-Port hub at my disposal to connect the other machines to the net.

The document I used to setup my FBSD box was written by Marty Schlacter, entitled "How to Build a FreeBSD-STABLE Firewall with IPFILTER". I found this document very helpful in regards to getting started with a new install and securing my boxen.

Skipping right #11. of the documentation listed above, titled: Create your IPFILTER and IPNAT rulesets

In this case tl0 is my outside interface connected to my ISP and fxp0 will be my inside interface which will connect to the hub and provide access to the rest of the machines.

My ipf.rules are as follows:
-----------------------------
#################################################################
# Outside Interface |tl0| Compaq Netelligent 10/100
#################################################################

#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state on it
# so that it's allowed back in.
#
# If you wanted to do egress filtering...here's where you'd do it.
# You'd change the lines below so that rather than allowing out any
# arbitrary TCP connection, it would only allow out mail, pop3, and http
# connections (for example). So, the first line, below, would be
# replaced with:
# pass out quick on tl0 proto tcp from any to any port = 25 keep state
# pass out quick on tl0 proto tcp from any to any port = 110 keep state
# pass out quick on tl0 proto tcp from any to any port = 80 keep state
# ...and then do the same for the remaining lines so that you allow
# only specified protocols/ports 'out' of your network
#----------------------------------------------------------------
pass out quick on tl0 proto tcp from any to any keep state
pass out quick on tl0 proto udp from any to any keep state
pass out quick on tl0 proto icmp from any to any keep state
block out quick on tl0 all

# -----------------------------------------------------------------------
# Block all inbound traffic from non-routable or reserved address spaces
# -----------------------------------------------------------------------
block in log quick on tl0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in log quick on tl0 from 172.16.0.0/12 to any #RFC 1918 private IP
block in log quick on tl0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in log quick on tl0 from 127.0.0.0/8 to any #loopback
block in log quick on tl0 from 0.0.0.0/8 to any #loopback
block in log quick on tl0 from 169.254.0.0/16 to any #DHCP auto-config
block in log quick on tl0 from 192.0.2.0/24 to any #reserved for doc's
block in log quick on tl0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on tl0 from 224.0.0.0/3 to any #Class D & E multicast


#----------------------------------------------------------------
# Allow bootp traffic in from your ISP's DHCP server only.
#----------------------------------------------------------------
pass in quick on tl0 proto udp from 0.0.0.0/32 to any port = 68 keep state
#----------------------------------------------------------------
# If you wanted to set up a web server or mail server on your box
# (which is outside the scope of this howto), or allow another system
# on the Internet to externally SSH into your firewall, you'd want to
# uncomment the following lines and modify as appropriate. If you
# have other services running that you need to allow external access
# to, just add more lines using these as examples.
#
# If the services are on a box on your internal network (rather than
# the firewall itself), you'll have to add both the filter listed below,
# plus a redirect rule in your /etc/ipnat.rules file.
#----------------------------------------------------------------
pass in quick on tl0 proto tcp from any to any port = 2121 flags S keep state keep frags
pass in quick on tl0 proto tcp from any to any port = 2222 flags S keep state keep frags
pass in quick on tl0 proto tcp from any to any port = 25 flags S keep state keep frags
pass in quick on tl0 proto tcp from any to any port = 80 flags S keep state keep frags
pass in quick on tl0 proto tcp from any to any port = 1977 flags S keep state keep frags
# pass in quick on tl0 proto tcp from X.X.X.X/32 to any port = 22 flags S keep state keep fra
gs

#----------------------------------------------------------------
# Block and log all remaining traffic coming into the firewall
# - Block TCP with a RST (to make it appear as if the service
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear
# as if the service isn't listening)
# - Block all remaining traffic the good 'ol fashioned way
#----------------------------------------------------------------
block return-rst in log quick on tl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on tl0 proto udp from any to any
block in log quick on tl0 all


#################################################################
# Inside Interface |fxp0| Intel EtherExpress 10/100
#################################################################

#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass out quick on fxp0 proto tcp from any to any keep state
pass out quick on fxp0 proto udp from any to any keep state
pass out quick on fxp0 proto icmp from any to any keep state
block out quick on fxp0 all

#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass in quick on fxp0 proto tcp from any to any keep state
pass in quick on fxp0 proto udp from any to any keep state
pass in quick on fxp0 proto icmp from any to any keep state
block in quick on fxp0 all


#################################################################
# Loopback Interface
#################################################################

#----------------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself (e.g. ping localhost)
#----------------------------------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all

ipnat.rules will allow the inside interfaces to get information from internet by maping the inside interface to the outside interface tl0.
---------------------------------------------------------------------
# --------------------------------------------------------------------
# Do 'normal' IP address translation. This line will take all packets
# going out on your external NIC (tl0) that have a source address coming
# from your internal network (192.168.1.0), and translate it to whatever
# IP address your external NIC happens to have at that time
# --------------------------------------------------------------------
map tl0 192.168.1.0/24 -> 0/32

# --------------------------------------------------------------------
# If you have a system on your internal network that needs to be
# 'reachable' by external systems on the internet, you'll need a rule
# similar to the one below. This one takes all inbound http traffic
# (TCP port 80) that hits the firewall's external interface (ed0) and
# redirects it to port 80 on the 192.168.1.50 system on the internal network.
# Simply uncomment the rule, change the IP address and port number so that
# it does what you need. Remember that you have to enable the corresponding
# inbound filter in your /etc/ipf.rules file, too.
#
# --------------------------------------------------------------------
# rdr tl0 0.0.0.0/0 port 80 -> 192.168.1.50 port 80 tcp


Changes made to /etc/rc.conf:
----------------------------------
################## Basic Network Configuration File ##################

################## Inside Lan Network Configuration #############
ifconfig_fxp0="inet 192.168.1.1 netmask 255.255.255.0"
# defaultrouter="192.168.203.1"
# hostname="fxp0.inside-interface.com"
################## Inside Lan Network Configuration #############

# This makes sure that my inside interface fxp0 is recongnized as a
# network interface
# network_interfaces="fxp0 tl0 lo0"
ifconfig_tl0="DHCP"
hostname="arwuah.no-ip.com"
ntpdate_flags="clock.linuxshell.net"
ntpdate_enable="YES"
nfs_client_enable="YES"
nfs_reserved_port_only="YES"
sshd_enable="YES"
sshd_flags="-4"
ipfilter_enable="YES"
ipfilter_flags=""
ipmon_enable="YES"
ipmon_flags="-Dsvn"
ipnat_enable="YES"
icmp_drop_redirects="YES"
################## Basic System Configuration ##################
font8x8="/usr/share/syscons/fonts/iso07-8x8.fnt"
allscreens_flags="132x43"
keymap="us.pc-ctrl"
keyrate="fast"
kern_securelevel_enable="NO"
linux_enable="YES"
mousechar_start="3"
saver="fire"
scrnmap="NO"
usbd_enable="YES"
update_motd="NO"

moused_enable="NO"
moused_flags="-z 4 5"
moused_port="/dev/psm0"
moused_type="auto"

syslogd_flags="-ss"

##############################################################
### Mail Transfer Agent (MTA) options ######################
##############################################################
mta_start_script="/etc/rc.sendmail"
sendmail_enable="YES" # Run the sendmail inbound daemon (YES/NO/NONE).
sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission
sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
sendmail_outbound_enable="YES" # Dequeue stuck mail (YES/NO).
sendmail_outbound_flags="-L sm-queue -q30m" # Flags to sendmail (outbound only)
sendmail_msp_queue_enable="YES" # Dequeue stuck clientmqueue mail (YES/NO).
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q30m" # Flags for sendmail_msp_queue daemon.

# Enable named
named_enable="YES"


Changes made to /etc/sysctl.conf:
----------------------------------
# $FreeBSD: src/etc/sysctl.conf,v 1.1.2.3 2002/04/15 00:44:13 dougb Exp $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Allow normal users to mount filesystems
vfs.usermount=1

# Disallow the viewing of other users processes
kern.ps_showallprocs=0

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.link.ether.bridge=1
net.link.ether.bridge_cfg="`ifconfig -l`"

# For vmware
kern.ipc.shm_allow_removed=1

Ok, now I need to setup a dhcp server incase more computers get added to the internal network. This way is one plugs an ethernet plug to the hub they shoudl automatically get an ip-addy.

I went over to bsdvault.net and fould a short little article, "Setting up a DHCP Server on FreeBSD 4.2.".

All I did was head over to /usr/ports/net/isc-dhcp3-server and ran the following commands:

$> make && make install

The current version as of this writing is: 3.0.1.r12
After installing I copied /usr/local/etc/dhcp.conf.sample to /usr/local/etc/dhcpd.conf and changed it to my liking.

The following were also added to /etc/rc.conf:
-----------------------------------------------
dhcpd_enable="YES"
dhcpd_flags="" # command option(s)
dhcpd_conf="/usr/local/etc/dhcpd.conf" # configuration file
dhcpd_ifaces="fxp0"

To allow for dhcpd log messages to be send to a different file I added the following to /etc/syslog.conf:
-----------------------------------------------------------------------
local7.* /var/log/dhcpd_logs