From owner-freebsd-ipfw Sun Jul 1 7:25: 5 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 9079E37B405 for ; Sun, 1 Jul 2001 07:25:02 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id QAA30334; Sun, 1 Jul 2001 16:19:50 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200107011419.QAA30334@info.iet.unipi.it> Subject: Re: BRIDGE in ip_fw.c In-Reply-To: <20010630232954.J348@blossom.cjclark.org> from "Crist J. Clark" at "Jun 30, 2001 11:29:54 pm" To: cjclark@alum.mit.edu Date: Sun, 1 Jul 2001 16:19:50 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > The reason I ask is that I need the flag bits of ip->ip_off. The test > to see if a packet is a fragment is, > > (ip->ip_off & (IP_OFFMASK | IP_MF)) > > And not just if the offset is non-zero. Obviously, whether ip->ip_off > is in host or network order will make a difference on how to do the same order for bridged and "regular" packets. I suppose it is host order from the previous snippet of code cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jul 1 11: 8:39 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from snipe.mail.pas.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62]) by hub.freebsd.org (Postfix) with ESMTP id 47DEB37B401 for ; Sun, 1 Jul 2001 11:08:37 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.143.73.Dial1.SanJose1.Level3.net [209.247.143.73]) by snipe.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id LAA26031; Sun, 1 Jul 2001 11:08:35 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f61I8YP00641; Sun, 1 Jul 2001 11:08:34 -0700 (PDT) (envelope-from cjc) Date: Sun, 1 Jul 2001 11:08:34 -0700 From: "Crist J. Clark" To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: BRIDGE in ip_fw.c Message-ID: <20010701110834.B296@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010630232954.J348@blossom.cjclark.org> <200107011419.QAA30334@info.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107011419.QAA30334@info.iet.unipi.it>; from luigi@info.iet.unipi.it on Sun, Jul 01, 2001 at 04:19:50PM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jul 01, 2001 at 04:19:50PM +0200, Luigi Rizzo wrote: > > The reason I ask is that I need the flag bits of ip->ip_off. The test > > to see if a packet is a fragment is, > > > > (ip->ip_off & (IP_OFFMASK | IP_MF)) > > > > And not just if the offset is non-zero. Obviously, whether ip->ip_off > > is in host or network order will make a difference on how to do the > > same order for bridged and "regular" packets. I suppose it > is host order from the previous snippet of code I was assuming host order above since that is always the case now. But according to this code, if (0 && BRIDGED) { /* not yet... */ offset = (ntohs(ip->ip_off) & IP_OFFMASK); ip_len = ntohs(ip->ip_len); } else { offset = (ip->ip_off & IP_OFFMASK); ip_len = ip->ip_len; } At some point in the future, ip->ip_off might not be in host order by the time it gets firewall code? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jul 1 11:32:40 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 6354437B403 for ; Sun, 1 Jul 2001 11:32:38 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id UAA31365; Sun, 1 Jul 2001 20:27:25 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200107011827.UAA31365@info.iet.unipi.it> Subject: Re: BRIDGE in ip_fw.c In-Reply-To: <20010701110834.B296@blossom.cjclark.org> from "Crist J. Clark" at "Jul 1, 2001 11:08:34 am" To: cjclark@alum.mit.edu Date: Sun, 1 Jul 2001 20:27:25 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > I was assuming host order above since that is always the case now. > > But according to this code, ... > At some point in the future, ip->ip_off might not be in host order by > the time it gets firewall code? don't worry about the future, it might never come :) seriously, if that change is ever made, whoever does it will take care of it or will be guilty if things break cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jul 1 11:34:20 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from isotope.rootprompt.net (mail.rootprompt.net [208.53.161.253]) by hub.freebsd.org (Postfix) with ESMTP id 8394F37B403 for ; Sun, 1 Jul 2001 11:34:17 -0700 (PDT) (envelope-from robert@rootprompt.net) From: "Robert Banniza" To: Subject: IPFW and triple-homed box... Date: Sun, 1 Jul 2001 13:36:24 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit In-Reply-To: <20010701110834.B296@blossom.cjclark.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Guys, I've got a box that I would like to add a third interface to for a DMZ. However, I'm having more questions than answers right now. I have basically the following interfaces: xl0 (external interface to router) fxp0 (internal interface using NAT) fxp1 (DMZ interface using REAL IP on this interface as well as all machines having a real IP) I want to allow ports 80,443 and 25 over to one single real IP on the DMZ while allowing nothing to flow in to the internal network from the DMZ. I also want all traffic on the internal network allowed out to the 'net and allowed over to the DMZ. I wrote the following HOWTO (http://www.rootprompt.net/freebsd_firewall.html) for a dual-homed firewall about a year ago but have since been using a Firebox II. Therefore, my IPFW rules knowledge is rusty and no matter how much I try to figure this out, I can't get it right. Therefore, can any send me a list of their rules (if they are similar to what I want to do) or can you point me to a URL that exmplains setting up a triple-homed firewall with a DMZ? I would certainly appreciate any help with this as I would like to get off of this Firebox and back to IPFW. Thanks Robert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jul 1 15: 2: 2 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 4BF6037B403 for ; Sun, 1 Jul 2001 15:02:00 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.143.73.Dial1.SanJose1.Level3.net [209.247.143.73]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id PAA08070; Sun, 1 Jul 2001 15:00:27 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f61M04B10977; Sun, 1 Jul 2001 15:00:04 -0700 (PDT) (envelope-from cjc) Date: Sun, 1 Jul 2001 14:59:57 -0700 From: "Crist J. Clark" To: Robert Banniza Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW and triple-homed box... Message-ID: <20010701145957.F296@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010701110834.B296@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from robert@rootprompt.net on Sun, Jul 01, 2001 at 01:36:24PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jul 01, 2001 at 01:36:24PM -0700, Robert Banniza wrote: > Guys, > I've got a box that I would like to add a third interface to for a DMZ. > However, I'm having more questions than answers right now. I have basically > the following interfaces: > > xl0 (external interface to router) > fxp0 (internal interface using NAT) > fxp1 (DMZ interface using REAL IP on this interface as well as all machines > having a real IP) > > I want to allow ports 80,443 and 25 over to one single real IP on the DMZ > while allowing nothing to flow in to the internal network from the DMZ. I > also want all traffic on the internal network allowed out to the 'net and > allowed over to the DMZ. The first question I have is will you be using subnetting to do this, in which case the firewall will be routing, or not, which requires either NAT (not a big issue) or bridging (still a bit of a hack to combine with ipfw)? I think that needs to be cleared up before anyone can help much more. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 3 9:42:25 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.allyster.com (fw.allyster.com [194.202.29.33]) by hub.freebsd.org (Postfix) with SMTP id 435DD37B401 for ; Tue, 3 Jul 2001 09:42:22 -0700 (PDT) (envelope-from jslivko@jslivko.org) Received: (qmail 26239 invoked from network); 3 Jul 2001 16:44:50 -0000 Received: from mail.allyster.com (jslivko@194.202.29.35) by mail.allyster.com with SMTP; 3 Jul 2001 16:44:50 -0000 Date: Tue, 3 Jul 2001 17:44:50 +0100 (BST) From: "Jonathan M. Slivko" X-Sender: jslivko@localhost.localdomain To: freebsd-ipfw@freebsd.org Subject: all blocked. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I just installed ipfw on my machine, only to find that it automatically blocked all communication with the internet. Can you guys please tell me how to either fix it, or turn off the firewall totally. Thanks. -- Jonathan \|||/ (o o) /-----------------------------ooO-(_)-Ooo----------------------------\ | Jonathan M. Slivko E-Mail: jslivko@jslivko.org | | IRC Nick: optix` Backup: js43064n@pace.edu | | AIM/AOL: JMSNY2001 Web : http://www.jslivko.org | |--------------------------------------------------------------------| | "History teaches us that days like this are best spent in bed" | \--------------------------------------------------------------------/ =========================================================================== This email its contents and any files or images with it are intended solely for the addressee(s) and are confidential. If you have received this email in error you may not copy or use the contents, attachments or information in any way. Please destroy it and contact the sender on the number printed above, via the 4EverMail Hosting Solutions switchboard or via email return. DISCLAIMER Material contained in this email may be copyright material of 4EverMail Hosting Solutions or protected by other intellectual property rights. It may only be reproduced with the express permission of 4EverMail Hosting Solutions. 4EverMail Hosting Solutions does not accept responsibility for any changes made to this email by unauthorised parties after it was sent. Whilst 4EverMail Hosting Solutions runs antivirus software on all Internet emails it is not liable for any loss or damage caused by an infected email. The recipient is advised to run their own antivirus software. All information contained in this email has been prepared using information believed by the author to be reliable and accurate, but 4EverMail Hosting Solutions makes no warranty as to accuracy and completeness. Any opinions expressed in this email are those of the author and do not necessarily reflect the opinions of 4EverMail Hosting Solutions or its affiliates. =========================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 3 9:54:10 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gekko.i-clue.de (server.ms-agentur.de [62.153.134.194]) by hub.freebsd.org (Postfix) with ESMTP id 4F58F37B403 for ; Tue, 3 Jul 2001 09:54:07 -0700 (PDT) (envelope-from so@server.i-clue.de) Received: from i-clue.de (automatix.i-clue.de [192.168.0.112]) by gekko.i-clue.de (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id TAA00391; Tue, 3 Jul 2001 19:03:27 +0200 Message-ID: <3B41F947.8B9EE0E5@i-clue.de> Date: Tue, 03 Jul 2001 18:56:39 +0200 From: Christoph Sold Reply-To: so@server.i-clue.de X-Mailer: Mozilla 4.75 [de] (WinNT; U) X-Accept-Language: de MIME-Version: 1.0 To: "Jonathan M. Slivko" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: all blocked. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "Jonathan M. Slivko" schrieb: > > Hello, > > I just installed ipfw on my machine, only to find that it automatically > blocked all communication with the internet. Can you guys please tell me > how to either fix it, or turn off the firewall totally. Read /etc/rc.firewall. In /etc/rc.firewall, edit the interface definitions for your firewall type. In /etc/rc.conf, add the lines firewall_enable="YES" # "NO" will turn off the firewall firewall_type="client" # protect this machine only # ("simple" would protect a simple network, "open" would protect nothing) HTH -Christoph Sold To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 3 12:45:36 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailfarm.ipfnet.net (mailfarm.ipfnet.net [195.211.129.222]) by hub.freebsd.org (Postfix) with ESMTP id 3573F37B405 for ; Tue, 3 Jul 2001 12:45:32 -0700 (PDT) (envelope-from ml-freebsd-ipfw@phobgate.de) Received: from [192.168.2.94] (router-195-211-129.ipfnet.net [195.211.129.1]) (authenticated) by mailfarm.ipfnet.net (8.11.3/8.11.3) with ESMTP id f63Jj7E03560; Tue, 3 Jul 2001 21:45:07 +0200 (CEST) Date: Tue, 03 Jul 2001 21:44:34 +0200 From: alex Reply-To: alex To: "Jonathan M. Slivko" , freebsd-ipfw@freebsd.org Subject: Re: all blocked. Message-ID: <2059229442.994196674@[192.168.2.94]> In-Reply-To: X-Mailer: Mulberry/2.0.8 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG or recompile kernel with this option included: options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default so default policy is to allow everything and you still have ipfw part in kernel and don't have to change any configuration file. greetings, alex --On Dienstag, 3. Juli 2001 17:44 +0100 "Jonathan M. Slivko" wrote: > Hello, > > I just installed ipfw on my machine, only to find that it automatically > blocked all communication with the internet. Can you guys please tell me > how to either fix it, or turn off the firewall totally. Thanks. -- > Jonathan > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 5 19:53:30 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from isotope.rootprompt.net (mail.rootprompt.net [208.53.161.253]) by hub.freebsd.org (Postfix) with ESMTP id 3C24E37B409 for ; Thu, 5 Jul 2001 19:53:28 -0700 (PDT) (envelope-from robert@rootprompt.net) From: "Robert Banniza" To: Subject: Still can't get it to work... Date: Thu, 5 Jul 2001 21:55:38 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit In-Reply-To: <2059229442.994196674@[192.168.2.94]> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I cannot for the absolute life of me get IPFW to work with three NICS. All I want to do is to: 1) Pass all traffic from internal network (192.168.1.0/24) to go out to 'net or to the DMZ. 2) Allow 22,25,53(udp),80,443 traffic in to the DMZ. DMZ is using real IP addresses (208.53.161.252/30) 3) Allow no traffic from DMZ to flow back into internal network. 3) Block external interface from RFC1918 spoofed addresses My network is broken up into the following segments: xl0 - external interface (208.53.161.248/30) fxp0 - internal interface (192.168.1.0/24) fxp1 - optional interface (208.53.161.252/30) I'm using default deny which I feel is safest and compensates for human error more so than default allow. I have looked on the web for a DMZ HOWTO and can't find one. Would any of you have rules that do this? I'm about ready to say fuck it and stick with the Firebox. Guys, I certainly would appreciate any help with rules on this. I'm tired of fighting with this thing. Robert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 5 21:36:51 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.121.12]) by hub.freebsd.org (Postfix) with ESMTP id 865C337B413 for ; Thu, 5 Jul 2001 21:36:48 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.130.102.Dial1.SanJose1.Level3.net [209.245.130.102]) by harrier.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id VAA28452; Thu, 5 Jul 2001 21:36:45 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f664agf02037; Thu, 5 Jul 2001 21:36:42 -0700 (PDT) (envelope-from cjc) Date: Thu, 5 Jul 2001 21:36:42 -0700 From: "Crist J. Clark" To: Robert Banniza Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Still can't get it to work... Message-ID: <20010705213642.B308@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <2059229442.994196674@[192.168.2.94]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from robert@rootprompt.net on Thu, Jul 05, 2001 at 09:55:38PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 05, 2001 at 09:55:38PM -0700, Robert Banniza wrote: > I cannot for the absolute life of me get IPFW to work with three NICS. All I > want to do is to: > > 1) Pass all traffic from internal network (192.168.1.0/24) to go out to 'net > or to the DMZ. > 2) Allow 22,25,53(udp),80,443 traffic in to the DMZ. DMZ is using real IP > addresses (208.53.161.252/30) > 3) Allow no traffic from DMZ to flow back into internal network. > 3) Block external interface from RFC1918 spoofed addresses > > My network is broken up into the following segments: > > xl0 - external interface (208.53.161.248/30) > fxp0 - internal interface (192.168.1.0/24) > fxp1 - optional interface (208.53.161.252/30) > > I'm using default deny which I feel is safest and compensates for human > error more so than default allow. If you can't get it to _work,_ first thing to do is, 00100 divert natd ip from any to any via xl0 00200 pass ip from any to any And make sure that works. If you can't get it to run at all, I'd suspect a routing or interface problem before ipfw(8). ipfw(8) really doesn't care how many NICs you are using. Once you verify it works, remove the 'pass ip any to any' and start placing more and more restrictive rules. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 5 22:44: 6 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gscamnlm03.wr.usgs.gov (gscamnlm03.wr.usgs.gov [130.118.4.113]) by hub.freebsd.org (Postfix) with ESMTP id 782AC37B405; Thu, 5 Jul 2001 22:44:03 -0700 (PDT) (envelope-from rsowders@usgs.gov) To: "Robert Banniza" Cc: freebsd-ipfw@freebsd.org, owner-freebsd-ipfw@FreeBSD.ORG Subject: Re: Still can't get it to work... MIME-Version: 1.0 X-Mailer: Lotus Notes Release 5.0.7 March 21, 2001 Message-ID: From: "Robert L Sowders" Date: Thu, 5 Jul 2001 22:44:02 -0700 X-MIMETrack: Serialize by Router on gscamnlm03/SERVER/USGS/DOI(Release 5.0.7 |March 21, 2001) at 07/05/2001 10:44:02 PM, Serialize complete at 07/05/2001 10:44:02 PM Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Check out http://www.gnatbox.com/ They're using a version of freebsd and ipf that will do what you are trying to do. Maybe you should look at using ipf. gnatbox lite is free, but it does not support both a protected network and private service network. The pro version does, but it will cost you money. But if they can do it, then you should be able to do it too. "Robert Banniza" Sent by: owner-freebsd-ipfw@FreeBSD.ORG 07/05/2001 09:55 PM To: cc: Subject: Still can't get it to work... I cannot for the absolute life of me get IPFW to work with three NICS. All I want to do is to: 1) Pass all traffic from internal network (192.168.1.0/24) to go out to 'net or to the DMZ. 2) Allow 22,25,53(udp),80,443 traffic in to the DMZ. DMZ is using real IP addresses (208.53.161.252/30) 3) Allow no traffic from DMZ to flow back into internal network. 3) Block external interface from RFC1918 spoofed addresses My network is broken up into the following segments: xl0 - external interface (208.53.161.248/30) fxp0 - internal interface (192.168.1.0/24) fxp1 - optional interface (208.53.161.252/30) I'm using default deny which I feel is safest and compensates for human error more so than default allow. I have looked on the web for a DMZ HOWTO and can't find one. Would any of you have rules that do this? I'm about ready to say fuck it and stick with the Firebox. Guys, I certainly would appreciate any help with rules on this. I'm tired of fighting with this thing. Robert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jul 6 0:51:39 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id 4874A37B401 for ; Fri, 6 Jul 2001 00:51:28 -0700 (PDT) (envelope-from patrick@mip.co.za) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id JAA12186; Fri, 6 Jul 2001 09:51:23 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: "FreeBSD IPFW List" , "Robert Banniza" Subject: RE: Still can't get it to work... Date: Fri, 6 Jul 2001 09:51:54 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Robert, I have a tripple-homed firewall running fine on BSD. The rules are fairly simple. They are included below. These rules allow SSH support from outside. This is how I get to the servers for the customer, but you might not need the same. The DMZ has one server at present which runs mail, ftp and web. The rules are set accordingly. You should be able to use these rules, and just make some mods for yourself. I have not done anything about the RFC1918 addresses specifically, but that should be easy to do. Here's the rc.firewall script: ############ #!/usr/local/bin/bash # Perimeter # Patrick O'Reilly - 17/06/2001 sleep 3 fwcmd="/sbin/ipfw -q" ############ # Flush out the list before we begin. # ${fwcmd} -f flush ############ # Create a temporary rule to keep things running # ${fwcmd} add 00001 allow ip from any to any ############ # Network Address Translation. All packets are passed to natd(8) # before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd # starting at the rule number following the divert rule. # # xl0 is the NIC facing the internet ${fwcmd} add 00100 divert natd ip from any to any via xl0 ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 01000 allow ip from any to any via lo0 ${fwcmd} add 01001 deny log ip from any to 127.0.0.0/8 ${fwcmd} add 01010 allow icmp from any to any # I intensely dislike Netbios! ${fwcmd} add 01100 deny log udp from any to any 137,138,139 via xl0 ${fwcmd} add 01120 allow udp from any to any 53 ${fwcmd} add 01120 allow udp from any 53 to any # ${fwcmd} add 01130 allow udp from any to any ############ # Preliminary setup # ${fwcmd} add 02000 allow tcp from any to any established # Enable Patrick to login for support ${fwcmd} add 03000 allow tcp from #Patrick's IP# to #firewall internet ip# 22 setup ${fwcmd} add 03000 allow tcp from #Patrick's IP# to #mail server ip# 22 setup # Allow pretty much anything to be set up going outward ${fwcmd} add 04000 allow tcp from #firewall internet ip# to any setup ${fwcmd} add 04000 allow tcp from #DMZ IP/Subnet# to any setup ${fwcmd} add 04000 allow tcp from 192.168.1.0/24 to any setup ############ # Access to the FTP server # # At present this is for use by business partners only ${fwcmd} add 05000 allow tcp from #known external ip# to #ftp server ip# ${fwcmd} add 05000 allow tcp from #ftp server ip# to #known external ip# # Use these rules if you want to run a public FTP server # ${fwcmd} add 05010 allow tcp from any to #ftp server ip# 21 # ${fwcmd} add 05010 allow tcp from #ftp server ip# 20 to any ############ # Access to the WEB server # ${fwcmd} add 06000 allow tcp from any to #web server ip# 80,443 ############ # Access to the MAIL server # ${fwcmd} add 07000 allow tcp from any to #mail server ip# 25 ${fwcmd} add 07100 allow tcp from 192.168.1.0/24 to #mail server ip# 110 # This is so that staff can POP their email from home! # I hate having holes like this open, but if the customer wants it ... ${fwcmd} add 07200 allow tcp from any to #mail server ip# 110 # I manually insert this rule ahead of 65535 so that I can # log what gets denied ${fwcmd} add 65530 deny log ip from any to any ############ # Delete the temporary rule # ${fwcmd} delete 00001 ############ End of rc.firewall script. I hope this helps, Regards, Patrick O'Reilly. ----------------- A little knowledge is dangerous... FEAR ME! -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Robert Banniza Sent: 06 July 2001 06:56 To: freebsd-ipfw@FreeBSD.ORG Subject: Still can't get it to work... I cannot for the absolute life of me get IPFW to work with three NICS. All I want to do is to: 1) Pass all traffic from internal network (192.168.1.0/24) to go out to 'net or to the DMZ. 2) Allow 22,25,53(udp),80,443 traffic in to the DMZ. DMZ is using real IP addresses (208.53.161.252/30) 3) Allow no traffic from DMZ to flow back into internal network. 3) Block external interface from RFC1918 spoofed addresses My network is broken up into the following segments: xl0 - external interface (208.53.161.248/30) fxp0 - internal interface (192.168.1.0/24) fxp1 - optional interface (208.53.161.252/30) I'm using default deny which I feel is safest and compensates for human error more so than default allow. I have looked on the web for a DMZ HOWTO and can't find one. Would any of you have rules that do this? I'm about ready to say fuck it and stick with the Firebox. Guys, I certainly would appreciate any help with rules on this. I'm tired of fighting with this thing. Robert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message