Sharing Internet Connectionsby Dru Lavigne
My previous article demonstrated how even novice BSD users can quickly create a working firewall to protect their own systems. Today I want to start with that base firewall and explore how to fine-tune rules, configure NAT so other PCs can share an Internet connection, and review firewall logs.
The rulebase created in the last article allows your computer to access the internet, and allows fwbuilder to use SSH on the localhost to install firewall policies. This means you should be able to do most internet-related activities including web browsing, sending email, using
pkg_add to install software, using
portupgrade to keep your software up-to-date, and using most of the common internet applications such as Gaim for chat, Skype for free telephone calls, XMMS to listen to music, and RSS feeders to keep abreast of the latest news.
Occasionally, you'll run across an application your firewall blocks. The reason is that the application needs to make a connection to you in order to send packets. Some internet games do this; a Google search should tell you which ports you need to open on your firewall. Simply make a TCP or UDP object which contains the required port(s) and insert a rule that allows that service from any source.
Some other services, besides internet games, may not work as you expect. As an example, I use /usr/ports/mail/fetchmail to download email from my ISP's POP3 server. After installing my firewall, I was surprised to discover that I could send email but not receive it.
fetchmail had no problem connecting to the ISP to download the email; the problem was that
fetchmail expected to contact
sendmail before it delivered that email into my inbox. The problem disappeared after I installed that package and added this rule:
Source Destination Service Action Options Comment Any test:lo0:ip smtp Accept used by fetchmail
I created that smtp object by starting
fwbuilder, right-clicking the TCP object in the Services tree, and choosing New TCP Service from the menu. I gave it the name smtp and a Destination Port Range Start of 25. Notice that the destination is the loopback address, which only local mail delivery uses. Even if you don't use
fetchmail, you should still add this rule so that your periodic scripts can successfully send mail to the superuser account.
You may be surprised to learn that
ping won't work until you add another firewall rule. This is because
ping uses two types of ICMP packets: one goes out from your machine (an echo request), but you'll never know your request made it to the destination unless your firewall allows an echo reply packet to come in. The current firewall rules only allow your packets to go out.
To fix this, start by creating two ICMP objects. Right-click ICMP and select New ICMP Service from the menu. Name the first object Echo Request, and enter an ICMP Type of 8 and an ICMP Code of 0. When you make the second ICMP object, name it Echo Reply and enter an ICMP type of 0 and an ICMP Code of 0.
Next, decide if you just want the firewall to be able to ping out or if you also wish to allow others to ping your firewall. This rule will allow all pings:
Source Destination Service Action Options Comment Any Any echo request Accept Allow all pings echo reply
Note: technically, you don't need to add the
echo request service, as the existing firewall rules already allow your outbound packets. I've included it because it makes more sense to me when I view the rule.
If you want to be more restrictive and only allow your firewall to
ping out and not allow others to
ping your firewall, modify the rule so it looks like:
Source Destination Service Action Options Comment Any firewall echo reply Accept Allow sites I've pinged to reply back
Again, you don't have to allow your echo requests out, as they already fall under the rule that allows you to access the internet. It is up to you whether to include that service in this rule.
Preparing Your Computers to Share an Internet Connection
Before creating the rules you need within
fwbuilder to share your internet connection, make sure that your network is properly set up. The computer running
fwbuilder needs to have a NIC, which it uses to communicate with the other computers in your home network. This NIC is separate from the hardware you use to communicate with your ISP; that might also be a NIC (in the case of a cable or DSL connection) or it might be a modem (in the case of a dial-up PPP connection). Make sure the NIC you use to communicate with your other computers is plugged into the same hub or switch as your other computers.
You also need to decide on an addressing scheme to use on your home computers. The easiest method is to choose one of the addresses from the private address ranges. These addresses always start with either 10, 172.16 up to 172.31, or 192.168.
In my example, a FreeBSD system running
fwbuilder will share its internet connection with a Windows XP system. I've assigned the address 10.0.0.1 to the FreeBSD system and 10.0.0.2 to the XP system. Starting on the XP system:
- From Control Panel, select Network Connections (depending upon your view, Network Connections might be inside Network and Internet Connections)
- Double-click the icon that represents the NIC, then click Properties
- Double-click Internet Protocol TCP/IP
- Click the button for Use the Following IP Address, and input 10.0.0.2 for the address, 255.0.0.0 for the mask, and 10.0.0.1 for the gateway
- Under preferred DNS server, enter the first address found in /etc/resolv.conf on the FreeBSD system, then keep clicking OK until you exit this utility
On the FreeBSD system, become the superuser and type
ifconfig to determine the name of the NIC you will use to communicate with the XP system. If you have multiple NICs and are currently connected to the internet, choose the NIC that currently doesn't have an IP address. In my example,
rl0 connected to the XP system and
xl0 connected to the ISP:
# ifconfig rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> ether 00:11:d8:ea:16:d7 media: Ethernet autoselect (10baseT/UTP) status: active xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=9<RXCSUM,VLAN_MTU> inet 220.127.116.11 netmask 0xffffff00 broadcast 18.104.22.168 ether 00:04:75:ee:e0:21 media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000
Assigning the IP address is simple. (Replace
rl0 with the FreeBSD name of your NIC):
# ifconfig rl0 10.0.0.1
Double-check that the connection is good with a
# ping 10.0.0.2 (press ctrl c to end)