From owner-freebsd-ipfw Tue Apr 25 18:40:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 7D96337B5A5 for ; Tue, 25 Apr 2000 18:40:23 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA15708; Tue, 25 Apr 2000 21:39:54 -0400 (EDT) (envelope-from cjc) Date: Tue, 25 Apr 2000 21:39:54 -0400 From: "Crist J. Clark" To: Jordan Blanchard Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Firewall and the general Network Message-ID: <20000425213953.C13245@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000424211721.A75100@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from cybernetik@sympatico.ca on Mon, Apr 24, 2000 at 11:31:06PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Apr 24, 2000 at 11:31:06PM -0400, Jordan Blanchard wrote: > > 00060 66545 35492707 allow ip from any to any > > 00100 0 0 divert 8668 ip from any to any via tun0 > > 00100 0 0 allow ip from any to any via lo0 > > 00100 0 0 divert 8668 ip from any to any via tun0 > > 00100 0 0 divert 8668 ip from any to any via tun0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00210 0 0 deny icmp from any to any via ed0 > > 65535 16 1000 deny ip from any to any > > :As Mike pointed out, these rules make no sense. They are not the > :"simple" firewall rules either. > > Below is the new firewall.. > > 00100 divert 8668 ip from any to any via ed1 > 00100 allow ip from any to any via tun0 > 00130 allow tcp from any to any established > 00140 allow ip from 10.10.10.0/24 to 1.1.1.1 > 00200 deny ip from 10.10.10.0/24 to any in recv ed1 > 00200 allow tcp from any to any 25 > 00300 deny ip from 1.1.1.0/24 to any in recv ed0 > 00315 allow udp from any 53 to any via tun0 > 00320 allow tcp from any to 1.1.1.1 110 > 00340 allow log logamount 10 udp from any to 10.10.10.1 123 > 00400 deny ip from 192.168.0.0/16 to any via ed1 > 00400 allow udp from any to 1.1.1.1 7070 > 00400 allow udp from any to 1.1.1.1 6770 > 00400 allow udp from any to 1.1.1.1 6070 > 00400 allow tcp from any to 1.1.1.1 554 > 00400 allow udp from any to 1.1.1.1 4000 > 00410 deny tcp from any to any 79 > 00420 deny ip from any to 127.0.0.0/8 > 00430 unreach host icmp from any to any via ed0 > 00440 deny log logamount 10 tcp from 10.10.10.12 to 1.1.1.1 20-23 > 00500 deny ip from any to 192.168.0.0/16 via ed1 > 00600 deny ip from 172.16.0.0/12 to any via ed1 > 00700 deny ip from any to 172.16.0.0/12 via ed1 > 00800 deny ip from 10.0.0.0/8 to any via ed1 > 00900 deny ip from any to 10.0.0.0/8 via ed1 > 01000 allow tcp from any to any established > 01100 allow tcp from any to 1.1.1.1 25 setup > 01200 allow tcp from any to 1.1.1.1 53 setup > 01300 allow tcp from any to 1.1.1.1 80 setup > 01400 deny log logamount 10 tcp from any to any in recv ed1 setup > 01500 allow tcp from any to any setup > 01600 allow udp from any 53 to any via ed1 > 01700 allow udp from any to any 53 via ed1 > 01800 allow udp from any 123 to any via ed1 > 01900 allow udp from 10.0.0.0/8 to any 123 via ed1 > 10155 deny log logamount 10 tcp from any to 10.10.10.1 2049 > 10160 deny log logamount 10 icmp from any to any via ed0 > 10160 deny log logamount 10 udp from any to 1.1.1.1 > 10200 allow ip from any to any > 65535 deny ip from any to any > > as you now have noticed, there's been quite a few changes... There's only > one problem now.. the ip 10.10.10.12, I've stop incoming telnets and ftps > but can't telnet out??? should I be using the pass command? Do you mean you can't telnet "out" to 1.1.1.1 from rule 440? I'm still pretty confused about some of the rules, 130 and 1000? 200 and 1100? And rule 420!?!? > > # netstat -rn > > Routing tables > > > > Internet: > > Destination Gateway Flags Refs Use Netif > > Expire > > default 216.209.34.1 UGSc 10 9642 tun0 > > 1 link#2 UC 0 0 ed1 ^ Didn't catch this before. You should not really be using that network. > > 10.10.10/24 link#1 UC 0 0 ed0 > > 10.10.10.12 0:40:5:4d:3d:c8 UHLW 1 2260 ed0 > 144 > > 10.10.10.120 0:80:c8:36:69:ed UHLW 2 4970 ed0 > 715 > > 127.0.0.1 127.0.0.1 UH 0 2 lo0 > > 216.209.34.1 216.209.34.202 UH 9 0 tun0 > > 216.209.34.202 127.0.0.1 UH 0 0 lo0 > > OK. > > > # ifconfig -a > > ed0: flags=8843 mtu 1500 > > inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 > > ether 00:20:18:65:a0:9f > > ed1: flags=88c3 mtu 1500 > > inet 1.1.1.1 netmask 0xff000000 broadcast 1.255.255.255 > > ether 00:00:c0:df:fb:7f > > tun0: flags=8051 mtu 1492 > > inet 216.209.34.202 --> 216.209.34.1 netmask 0xffffff00 > > ppp0: flags=8010 mtu 1500 > > lo0: flags=8049 mtu 16384 > > inet 127.0.0.1 netmask 0xff000000 [snip] > :If you are doing NAT through PPP, you should probably use the '-nat' > :option in ppp(8) rather than the natd(8) daemon. > > well, I have put in the nat enable yes command into the ppp.conf and I don't > see ppp -auto -nat pppoe I see > 95 ?? Ss 0:01.50 ppp -auto -quiet pppoe > could it be something in my ppp.conf If you were to specify '-nat' on the command line or start it through the boot, % grep ppp_nat /etc/defaults/rc.conf ppp_nat="YES" # Use PPP's internal network address translation or NO. You would see that in ps. You will not see it in ps if you use a, nat enable yes In your ppp.conf. Do make sure the line is used for the connection you are using. If you are using the PPP NAT, I think you can lose your 'divert' rules in your firewall. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message