BSD DevCenter
oreilly.comSafari Books Online.Conferences.


Sharing Internet Connections
Pages: 1, 2, 3

Configuring Shared Internet Connection on Firewall

Now that your computers are ready, it's time to add object(s) to your firewall to represent the computer(s) on your home network, recheck your rules to ensure all computers are allowed internet access, and then add a NAT rule to enable the actual connection sharing.

There are several ways to represent the computers on your network: you can create host objects for each computer, or you can create a network object to represent all of the computers on your home network. Because I have only one other computer, I've chosen to add a host object to represent my XP computer.

Right-click Hosts and select New Host from the menu. Give the host a descriptive name; I called mine XP. When asked to configure the interfaces manually, add the IP address and subnet mask for the computer; you can leave the rest of the parameters empty. Just make sure that you have added the address. In my case, I entered and with a label of my_network.

Next, review your current firewall rules and ask yourself, should only the firewall computer be able to do this or should all my computers? For example, I should add the XP computer as a Source for the rule that allows access to the internet, but I should leave the firewall loopback as the only Destination for the SSH rule that allows me to install a firewall policy. My complete rulebase resembles Figure 1.

Thumbnail, click for full-size image.
Figure 1. My complete rulebase (Click for full-size image)

Creating the NAT rule is easy. In the right frame, click on the NAT tab. Your firewall rules should disappear (don't worry, they are still available from the Policy tab). You should see an empty frame, as you haven't created any NAT rules yet. Right-click and choose Insert Rule. Notice that NAT rules have different fields than regular firewall rules:

Original Src        default value of Any
Original Dst        default value of Any
Original Svr        default value of Any
Translated Src        default value of Original
Translated Dst        default value of Original
Translated Svr        default value of Original
Comment            empty by default

This is what you want to happen: when your other computer needs to access the internet, it should go through the firewall and then out its other interface to the ISP. Create a rule that does that by changing two of the default values:

Original Src        host object
Translated Src        external interface of firewall

In my case, I called my host object XP and my external firewall interface ISP, so my rule looks like Figure 2.

Thumbnail, click for full-size image.
Figure 2. My NAT rule (Click for full-size image)

Don't forget to install your policy when you finish creating your NAT rule. Then try to access a website from your other computer. Assuming you remembered to add that host to your internet access rule, everything should just work.

Hint: if you'd like to see your NAT rules using pfctl, type pfctl -s rules as the superuser. To see your NAT translations or your current NAT connections, type pfctl -s state.

Pages: 1, 2, 3

Next Pagearrow

Sponsored by: