• Choose a category
• All
• Classic-Fiction

map ppp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:65000

You should start packet filtering, NAT, and logging at boot time. The commands are:

# ipf -E -Fa -f /etc/ipf.rules

# ipnat -CF -f /etc/ipnat.rules

# ipmon -D -s

The flags to ipf enable the filter, flush existing rules in all streams, and read new rules from /etc/ipf.rules. Likewise for ipnat, we delete all old rules first and then load new rules from the /etc/ipnat.rules file. ipmon runs as a daemon, monitoring packets that are logged via ipf to the pseudo-device /dev/ipl and sending them on to syslog.

By default, FreeBSD assumes that the ipfw filtering system will be used, not ipf. You must invent some new variables in the rc.conf file to turn on ipf filtering and create corresponding sh lines in the rc.network startup file. Use the ipfw startup lines as a model. You can configure NAT just by setting the values of the natd_* rc.conf variables. We have illustrated the NAT startup but leave the rc.network hacking for ipf as an exercise for the reader.

natd_program="/usr/sbin/ipnat"

natd_enable="YES"

natd_interface="xxx" # device name or IP address

natd_flags="-f /etc/ipnat.rules" # + any flags you want

Be mindful of the order in which things are done at startup time. If you are really paranoid, you’ll want to have filtering in place before you configure any network interfaces. IPFilter’s NAT implementation depends on ipf, so be sure to enable both if you want to use NAT.

PPP configuration for FreeBSD

FreeBSD supports two PPP implementations, one inside the kernel and one in user space that uses the IP tunnel device driver. The user-level package is called ppp and uses the configuration file /etc/ppp/ppp.conf. It’s a bit slower than the kernel implementation but has many more features. See the man pages for details—we do not cover the user-level ppp as thoroughly as we do the kernel-level implementation.

User-level ppp requires that the kernel be configured to include the pseudo-device “tun” and that devices /dev/tun0, /dev/tun1, etc. exist. The system is configured in the ppp.conf file; a sample lives in the /etc/ppp directory and includes an example of every option and feature you might ever want to try. A couple of companion files keep things safe. ppp.deny lists logins that should never use ppp, such as root and bin. ppp.shells lists the paths to all valid shells; ppp denies access to users whose shell is not listed.

A default entry in ppp.conf sets parameters such as the baud rate, the device file for the modem, the logging options, and the dialing sequence. It is followed by entries for each site that you might want to connect to with PPP, for example:

allow user local-user-name-here

netblazer800:

set phone phone-number-here

set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: login word: passwd"

set timeout 120

delete ALL

add default HISADDR

In this example, we specify the user that’s allowed to use ppp (so it doesn’t have to run as root), the phone number to call, and the login chat script (including login name and password). The last two lines delete any existing routes and add a default route to the PPP server (your ISP, presumably).

The kernel-level PPP package uses a daemon called pppd. Like the user-level implementation, it keeps configuration files in /etc/ppp. The main configuration files are called options and ppp.deny. These are usually supplemented by local files for the terminal server at the other end of the connection; for example, options.netblazer for device-specific options and chat.netblazer for login information. FreeBSD supplies sample configuration files for several PPP scenarios in /usr/share/examples.

ppp.deny is a list of users who should never use PPP; for example, the user “bin”.

The configuration files below bring up a PPP connection from Evi’s home machine to the University of Colorado. The first file sets global options for pppd, the second sets the specific options used to connect to the ancient Netblazer