UNI-FIX Computer

We needed some dynamic forwarding in FreeBSD

cd /usr/ports/sysutils/socket
make install

We needed to forward some vnc

vbcafe# echo vnc 5900/tcp >> /etc/services
vbcafe# echo vnc1 5901/tcp >> /etc/services
vbcafe# echo vnc2 5902/tcp >> /etc/services
vbcafe# echo vnc3 5903/tcp >> /etc/services
vbcafe# echo vnc4 5904/tcp >> /etc/services
vbcafe# echo vnc5 5905/tcp >> /etc/services
vbcafe# echo vnc6 5906/tcp >> /etc/services
…and so on

Or for the lazy ones:
perl -e ‘for ($i=0; $i<50; $i++) { print “vnc$i “.($i+5900).”/tcp\n”;}’ >> /etc/services

vnc1 stream tcp nowait nobody /usr/local/bin/socket socket 10.1.1.1 5900

==== rc.conf ===============================================

defaultrouter=”192.168.10.1″
hostname=”npcafe.secure-net.dk”
ifconfig_vr0=”inet 10.10.10.254 netmask 255.255.255.0″
ifconfig_sis0=”inet 192.168.10.199 netmask 255.255.255.0″

gateway_enable=”YES”
sshd_enable=”YES”
usbd_enable=”YES”
apache2_enable=”YES”
named_enable=”YES”

smbd_enable=YES
nmbd_enable=YES
dhcpd_enable=YES
dhcpd_ifaces=vr0

firewall_enable=YES

natd_enable=”YES”
natd_interface=”sis0″

==== firewall =============================================

#!/bin/sh

case “$1” in
start)
echo Starting firewall
ipfw -f flush

natd -n sis0
ipfw add divert natd ip from any to any via sis0

ipfw pipe 3 config bw 128Kbit/s queue 10 # Intet
ipfw pipe 2 config bw 2Mbit/s queue 10 # Mindre end vi har
ipfw pipe 1 config bw 10Mbit/s queue 10 # Mere end vi har

ipfw add allow all from any to me 445 keep-state
# ipfw add allow all from any to 212.242.77.76 22 keep-state

ipfw add deny all from 10.10.10.10/24 to any 22 keep-state

#Ting der er vigtige
ipfw add pipe 1 all from any 22 to any # SSH
ipfw add pipe 1 all from any 27960 to any # Quake3

#Ting der er semi vigtige
ipfw add pipe 2 all from any 80 to any # HTTP

#Ting der kan vaere lige meget
ipfw add pipe 3 all from any to any # Resten

ipfw add accept all from any to any
exit 0
;;
stop)
echo Stopping firewall
killall natd
# Minimal firewall settings, all allow for self and mike
ipfw -f flush
ipfw add allow all from any to any via lo0
ipfw add allow all from me to any keep-state
ipfw add allow all from 212.242.77.76 to me keep-state
;;
open)
echo Opening up firewall
ipfw -f flush
ipfw add allow all from any to any
;;
*)
echo “Usage: `basename $0` {start|stop|open}” >&2
exit 64
;;
esac

==== old firewall ============================== [syntax]

#!/bin/sh

case “$1” in
start)
echo Starting firewall
ipfw -f flush

natd -n sis0
ipfw add divert natd ip from any to any via sis0

# Clients to me

ipfw add allow all from 10.10.10.10/24 to me 139 keep-state #smb
ipfw add allow all from 10.10.10.10/24 to me 68 keep-state #dhcp
ipfw add allow all from 10.10.10.10/24 to me 53 keep-state #dns

# Admin to me
ipfw add allow all from 10.10.10.100 to me keep-state # kasse
ipfw add allow all from 212.242.77.76 to me keep-state # mike
ipfw add allow all from 81.19.234.132 to me keep-state # mike-2

# Clients to world
ipfw add deny all from 10.10.10.10/24 to any 445 keep-state #vira
ipfw add allow all from 10.10.10.10/24 to any keep-state #open

ipfw pipe 2 config bw 2Mbit/s queue 10
ipfw pipe 1 config bw 128Kbit/s queue 10

# layer 1 stuff
ipfw add queue 2 tcp from 10.10.10.10/24 to any 53 out
# ipfw add queue 1 tcp from 10.10.10.10/24 to any 27960 out
# ipfw add queue 1 tcp from 10.10.10.10/24 to any 22 out

# layer 2 stuff
#ipfw add queue 2 tcp from 10.10.10.10/24 to any 80 out
# ipfw add queue 2 tcp from 10.10.10.10/24 to any 21 out
# ipfw add queue 2 tcp from 10.10.10.10/24 to any 596 out

# layer 3 stuff – Anything not mentioned above gets the crap
ipfw add pipe 1 all from any to any out

ipfw add accept all from any to any

exit 0
;;
stop)
echo Stopping firewall
killall natd
# Minimal firewall settings, all allow for self and mike
ipfw -f flush
ipfw add allow all from any to any via lo0
ipfw add allow all from me to any keep-state
ipfw add allow all from 212.242.77.76 to me keep-state
;;
open)
echo Opening up firewall
ipfw -f flush
ipfw add allow all from any to any
;;
*)
echo “Usage: `basename $0` {start|stop|open}” >&2
exit 64
;;
esac