[ On Saturday, April 8, 2000 at 14:40:51 (-0400), Stan Pietkiewicz wrote: ]
> Subject: NetBSD and routing
>
> I recently installed NetBSD 1.4.2 on a i486 machine I had handy, with
> the plan of using it for a router / firewall to connect through my cable
> modem. I managed to set up both network interfaces so I can see both
> networks form the 486 (the worl as well as my network), but what do I
> need to do so other machines on my network can see the rest of the
> world??

All you really need is just NetBSD itself with IP Filter and NAT
configured appropriately.

I've just built a gateway box running recent -current (1.4V) in an
i486dx66 (w/8MB and a 340MB IDE drive).  It's working like a charm
although I'm still looking for a pair of faster ISA ethernet cards to
replace the ne2000 clone cards that I'm currrently using since the
latter can only do about 100pps and that means I can't get much more
than 200KB/s across the network even though other people using similar
CPUs are getting much faster, like 700KB/s.  For example a we8013 seems
to be able to do about 1200pps with 'ping -f' on the local LAN while my
cards only get about 400pps, which is way better than the NE2100 clones
I tried at first....

> Part B of the same topic: Has anyone managed to build and install the
> TIS firewall toolkit under NetBSD - i386?

Don't even bother trying!   ;-)

There are a very few parts of it that are useful in some circumstances
but I wouldn't recommend it on the whole.

Just use the IP-Filter and NAT to build a simple gateway that'll allow
your internal hosts to work talk out.  I'm also using a GRE tunnel to
move my routable network across to where it's routed to via another
cable modem customer to a "real" connection.  You can do this with
SSH+PPP too (eg. with pkgsrc/security/ssh-ip-tunnel).

As others have mentioned already you'll probably want a custom kernel
with a few options on by default, such as GATEWAY (can be enabled with
sysctl) and IPFILTER_LOG (ipmon(8) log support for IP Filter & NAT).

The basic NAT setup is of course just something like the following (the
first line's not really necessary if you always use a proxy):

	map ne1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
	map ne1 192.168.0.0/24 -> 0/32 portmap tcp/udp 10000:40000
	map ne1 192.168.0.0/24 -> 0/32

(note that only one internal host will be able to ping an outside
address at any one time -- this can cause some problems for other ICMP
traffic too on a busy internal network...)

You can set up IP-Filter to protect your host from the cable network
(and the big bad Internet) to whatever extent you feel comfortable with.
I'm running basic anti-spoof filters and blocking a very few incoming
services such as rlogin, rsh, telnet, syslog, some of the internal inetd
services, etc. (same as I was doing with my PPP link).  You can go the
other way and block everything by default and only let through the stuff
you want to see.  I can e-mail you my complete ipf.conf if you'd like.

Set your default route on the inside boxes to point at the gateway and
configure your browsers and such to point at the provider's proxy:

	export http_proxy="http://proxy.ym1.on.wave.home.com:8080/"
	export ftp_proxy="http://proxy.ym1.on.wave.home.com:8080/"

Same with DNS, just point your resolv.conf's at the provider's caching
nameservers.

If you do have another (slower) link out another router for a routed
network then you can route just your provider's server networks over to
the cable gateway (this is essentially what I'm doing -- it's just that
my "slower" link also runs over the cable network in a tunnel).

If you must run DHCP to get your cable modem address then I think you'll
want to run "ipf -y" from the dhclient script when the external address
changes.

Although you're probably not allowed by your contract to run servers on
your cable modem you can of course and you can avoid running them on the
gatway box by using the NAT to redirect and rewrite packets to any given
TCP service through to some internal host on your LAN (and then of
course you can add a DNS entry pointing to your cable IP, updating it
from your dhclient script every time it changes).

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>