FreeBSD Router with IPFW

Configure a router with FreeBSD

1. Install FreeBSD
2. Compile kernel with aditional options for ipfw router:

3. execute at prompt:
#cd /usr/src/sys/i386/conf
#cp GENERIC ROUTER
#edit ROUTER

4. ---- add in file ROUTER, at the end the following lines ----------
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options DUMMYNET
options HZ=1000
---- end of file router

5. execute at prompt:
# config ROUTER
# cd ../compile/ROUTER
#make depend
#make
#make install

6. ---- edit /etc/rc.conf ----------------------------------------------------
defaultrouter="86.124.80.1"
gateway_enable="YES"
hostname="router"
ifconfig_fxp0="inet 83.123.213.23 netmask 255.255.255.252"
ifconfig_fxp1="inet 10.0.0.1 netmask 255.255.255.0"
sshd_enable="YES"
natd_enable="YES"
natd_flags=""
named_enable="YES"
natd_interface="fxp0"
firewall_enable="YES"
firewall_quiet="NO"
firewall_script="/etc/router.firewall"
firewall_logging="YES"
inetd_enable="YES"
kern_securelevel_enable="NO"
---- end of rc.conf

7. ---- edit /etc/resolv.conf ------------------------------------------------
nameserver ip_of_your_dns
---- end of resolv.conf ---------------------------------------------

8. ---- edit /etc/router.firewall----------------------------------------------
fwcmd=/sbin/ipfw
$fwcmd add 00010 divert 8668 ip from any to any via fxp0
$fwcmd add 00020 allow ip from any to any via lo0
$fwcmd add 00030 deny ip from any to 127.0.0.0/8
$fwcmd add 00040 deny ip from 127.0.0.0/8 to any

$fwcmd add 50 allow ip from 10.0.0.2 to any
$fwcmd add 60 allow ip from any to 10.0.0.2

$fwcmd add 70 allow ip from 10.0.0.3 to any
$fwcmd add 80 allow ip from any to 10.0.0.3

$fwcmd add 90 allow ip from 10.0.0.4 to any
$fwcmd add 100 allow ip from any to 10.0.0.4

$fwcmd add 110 allow ip from 10.0.0.5 to any
$fwcmd add 120 allow ip from any to 10.0.0.5

$fwcmd add 35000 allow ip from me to any
$fwcmd add 35001 allow ip from any to me
---- end of router.firewall--------------------------------------------

Comments:
fpx0 is external interface, you should assign your public ip here
fxp1 is internal interface

fxp0 and fxp1 are intel network cards, you should use your own devices here, if you have other types of cards then your nic device will not be fxp.
To check the name of your devices type ifconfig or dmesg | more.

The file /etc/router.firewall is the firewall rule file, in this example I've allowed only ips 10.0.0.2-10.0.0.5 to use the router.

In the file /etc/resolv.conf you must put your dns servers, so instead of ip_of_your_dns here in example you should have the ip of your dns :D

After compiling the kernel don't forget to reboot.

source: www.unixreport.org