VanLUG Email Archive
Brian Edmonds (brian@gweep.bc.ca)
Fri, 15 Jan 1999 23:27:59 -0800
Todd Meade <tmeade@bc.sympatico.ca> writes:
> 1) I had to "ipfwadm -F -p accept" rather than "ipfwadm -F -p deny".
> Have I just defeated my firewall? Can I just allow forwarding for
> the 2-4 machines and deny the rest?
Yup, this should do the trick I think:
ipfwadm -F -p deny
ipfwadm -F -a masquerade -S 192.168.1.0/24 (on the masq box)
ipfwadm -F -a accept -S 204.174.23.20/30 -D 204.174.23.20/30
You may also need to twiddle something in /proc somewhere to tell the
kernel you're willing to let it do forwarding, but I don't recall any
details. Make sure you've got a route entry for the local net too.
> 2) My ip masqueraded machines can't see my non-masqueraded machines.
Fixing the local forwarding and routing in #1 should fix this too.
> I don't think I care if I can see anything on the 204.174.23.0 subnet
> other than 20/21/22/23 (the four address I own errrr rent). If I do,
> I'll stick to two non-masqueraded nodes (21/22, 20==network,
> 23==broadcast), and set my netmasks/broadcasts accordingly.
I think you should be able to use .20 ok, though there may be a gotcha
I'm not thinking of right now. In fact I think you'll have to, as your
gateway is going to eat up two of those addresses, one for the PPP
interface, and one for its non-local ethernet interface. It's too bad
your external interface doesn't have a separate address.
Brian.
This archive was generated by hypermail 2.0b3 on Fri 15 Jan 1999 - 23:28:15 PST