BSD DevCenter
oreilly.comSafari Books Online.Conferences.


Sharing Internet Connections

by Dru Lavigne

My previous article demonstrated how even novice BSD users can quickly create a working firewall to protect their own systems. Today I want to start with that base firewall and explore how to fine-tune rules, configure NAT so other PCs can share an Internet connection, and review firewall logs.

Adding Rules

The rulebase created in the last article allows your computer to access the internet, and allows fwbuilder to use SSH on the localhost to install firewall policies. This means you should be able to do most internet-related activities including web browsing, sending email, using pkg_add to install software, using cvsup and portupgrade to keep your software up-to-date, and using most of the common internet applications such as Gaim for chat, Skype for free telephone calls, XMMS to listen to music, and RSS feeders to keep abreast of the latest news.

Occasionally, you'll run across an application your firewall blocks. The reason is that the application needs to make a connection to you in order to send packets. Some internet games do this; a Google search should tell you which ports you need to open on your firewall. Simply make a TCP or UDP object which contains the required port(s) and insert a rule that allows that service from any source.

Some other services, besides internet games, may not work as you expect. As an example, I use /usr/ports/mail/fetchmail to download email from my ISP's POP3 server. After installing my firewall, I was surprised to discover that I could send email but not receive it. fetchmail had no problem connecting to the ISP to download the email; the problem was that fetchmail expected to contact sendmail before it delivered that email into my inbox. The problem disappeared after I installed that package and added this rule:

Source  Destination  Service  Action  Options  Comment
Any     test:lo0:ip  smtp     Accept           used by fetchmail

I created that smtp object by starting fwbuilder, right-clicking the TCP object in the Services tree, and choosing New TCP Service from the menu. I gave it the name smtp and a Destination Port Range Start of 25. Notice that the destination is the loopback address, which only local mail delivery uses. Even if you don't use fetchmail, you should still add this rule so that your periodic scripts can successfully send mail to the superuser account.

You may be surprised to learn that ping won't work until you add another firewall rule. This is because ping uses two types of ICMP packets: one goes out from your machine (an echo request), but you'll never know your request made it to the destination unless your firewall allows an echo reply packet to come in. The current firewall rules only allow your packets to go out.

To fix this, start by creating two ICMP objects. Right-click ICMP and select New ICMP Service from the menu. Name the first object Echo Request, and enter an ICMP Type of 8 and an ICMP Code of 0. When you make the second ICMP object, name it Echo Reply and enter an ICMP type of 0 and an ICMP Code of 0.

Note: if you're curious, the types and codes for ICMP packets are available from the IANA.

Next, decide if you just want the firewall to be able to ping out or if you also wish to allow others to ping your firewall. This rule will allow all pings:

Source  Destination  Service       Action  Options  Comment

Any     Any          echo request  Accept           Allow all pings
                     echo reply

Note: technically, you don't need to add the echo request service, as the existing firewall rules already allow your outbound packets. I've included it because it makes more sense to me when I view the rule.

If you want to be more restrictive and only allow your firewall to ping out and not allow others to ping your firewall, modify the rule so it looks like:

Source    Destination  Service       Action  Options  Comment

Any       firewall     echo reply    Accept           Allow sites I've pinged to reply back

Again, you don't have to allow your echo requests out, as they already fall under the rule that allows you to access the internet. It is up to you whether to include that service in this rule.

Preparing Your Computers to Share an Internet Connection

Before creating the rules you need within fwbuilder to share your internet connection, make sure that your network is properly set up. The computer running fwbuilder needs to have a NIC, which it uses to communicate with the other computers in your home network. This NIC is separate from the hardware you use to communicate with your ISP; that might also be a NIC (in the case of a cable or DSL connection) or it might be a modem (in the case of a dial-up PPP connection). Make sure the NIC you use to communicate with your other computers is plugged into the same hub or switch as your other computers.

You also need to decide on an addressing scheme to use on your home computers. The easiest method is to choose one of the addresses from the private address ranges. These addresses always start with either 10, 172.16 up to 172.31, or 192.168.

In my example, a FreeBSD system running fwbuilder will share its internet connection with a Windows XP system. I've assigned the address to the FreeBSD system and to the XP system. Starting on the XP system:

  • From Control Panel, select Network Connections (depending upon your view, Network Connections might be inside Network and Internet Connections)
  • Double-click the icon that represents the NIC, then click Properties
  • Double-click Internet Protocol TCP/IP
  • Click the button for Use the Following IP Address, and input for the address, for the mask, and for the gateway
  • Under preferred DNS server, enter the first address found in /etc/resolv.conf on the FreeBSD system, then keep clicking OK until you exit this utility

On the FreeBSD system, become the superuser and type ifconfig to determine the name of the NIC you will use to communicate with the XP system. If you have multiple NICs and are currently connected to the internet, choose the NIC that currently doesn't have an IP address. In my example, rl0 connected to the XP system and xl0 connected to the ISP:

# ifconfig
rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
    ether 00:11:d8:ea:16:d7
    media: Ethernet autoselect (10baseT/UTP)
    status: active
    inet netmask 0xffffff00 broadcast
    ether 00:04:75:ee:e0:21
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    inet netmask 0xff000000

Assigning the IP address is simple. (Replace rl0 with the FreeBSD name of your NIC):

# ifconfig rl0

Double-check that the connection is good with a ping:

# ping
(press ctrl c to end)

Pages: 1, 2, 3

Next Pagearrow

Sponsored by: