VanLUG Email Archive
Though it's probably easier to get the internal net working first, then
add external connectivity. It gives you something you can test directly
by pinging back and forth between internal machines, so you know you're
doing it right.
> # Add firewall entries...
> /sbin/ipfwadm -F -f
> /sbin/ipfwadm -F -p accept
This should generally be deny, unless you want your system to
potentially start routing between your interfaces.
> /sbin/ipfwadm -F -a masquerade -S 192.168.1.2 -D 0/0
> The last line is repeated over and over (with different addresses of
> course :) for each host on the local network...
No. I made this perfectly clear on my slides. Unless you have internal
hosts you *don't* want accessing the net, it's far better to just NAT
the whole internal network:
$ipfwadm -F -a masquerade -S 192.168.0.0/16
However, this person has two internal interfaces it sounds like. In
which case you might want to allow internal routing, and so set it up
something like:
1) first internal interface on network 192.168.1.0/24
2) secound internal interface on network 192.168.2.0/24
3) ipfwadm -F -a accept -S 192.168.0.0/16 -D 192.168.0.0/16
Then the masquerade forwarding entry.
Again, the slides for my related talks are at
http://www.cs.ubc.ca/spider/edmonds/ubc/linux-gw.ps
http://www.cs.ubc.ca/spider/edmonds/ubc/linux-ipfw.ps
And your .sig is still too long, btw (and I mean the silly parts, not
the PGP stuff).
Brian.