From owner-freebsd-ipfw Mon Mar 24 11: 1:40 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 016B437B401
for <ipfw@freebsd.org>; Mon, 24 Mar 2003 11:01:39 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP id 74FA643FB1
for <ipfw@freebsd.org>; Mon, 24 Mar 2003 11:01:38 -0800 (PST)
(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (peter@localhost [127.0.0.1])
by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h2OJ1cNS070530
for <ipfw@freebsd.org>; Mon, 24 Mar 2003 11:01:38 -0800 (PST)
(envelope-from owner-bugmaster@freebsd.org)
Received: (from peter@localhost)
by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h2OJ1bQ2070519
for ipfw@freebsd.org; Mon, 24 Mar 2003 11:01:37 -0800 (PST)
Date: Mon, 24 Mar 2003 11:01:37 -0800 (PST)
Message-Id: <200303241901.h2OJ1bQ2070519@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f
From: FreeBSD bugmaster <bugmaster@freebsd.org>
To: ipfw@FreeBSD.org
Subject: Current problem reports assigned to you
X-Spam-Status: No, hits=0.3 required=5.0
tests=ADDR_FREE,AWL,X_AUTH_WARNING
version=2.50
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
Current FreeBSD problem reports
Critical problems
Serious problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues
1 problem total.
Non-critical problems
S Submitted Tracker Resp. Description
-------------------------------------------------------------------------------
o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau
o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h
o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8)
3 problems total.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw Tue Mar 25 1:21: 8 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id 1F45A37B404; Tue, 25 Mar 2003 01:21:02 -0800 (PST)
Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65])
by mx1.FreeBSD.org (Postfix) with ESMTP
id C1AF043FAF; Tue, 25 Mar 2003 01:20:34 -0800 (PST)
(envelope-from ru@whale.sunbay.crimea.ua)
Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1])
by whale.sunbay.crimea.ua (8.12.8/8.12.8/Sunbay) with ESMTP id h2P9K80J076719
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Tue, 25 Mar 2003 11:20:08 +0200 (EET)
(envelope-from ru@whale.sunbay.crimea.ua)
Received: (from ru@localhost)
by whale.sunbay.crimea.ua (8.12.8/8.12.8/Submit) id h2P9K8Oa076714;
Tue, 25 Mar 2003 11:20:08 +0200 (EET)
(envelope-from ru)
Date: Tue, 25 Mar 2003 11:20:08 +0200
From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: Scot <scotrn@cox.net>
Cc: FreeBSD Stable <stable@FreeBSD.ORG>, ipfw@FreeBSD.ORG
Subject: Re: Natd stops working on Firewall
Message-ID: <20030325092007.GB73657@sunbay.com>
References: <PAEEIJCHPFHEDADDGJFLEEHJDNAA.scotrn@cox.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/"
Content-Disposition: inline
In-Reply-To: <PAEEIJCHPFHEDADDGJFLEEHJDNAA.scotrn@cox.net>
User-Agent: Mutt/1.5.4i
X-Spam-Status: No, hits=-21.6 required=5.0
tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2,
QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES,
USER_AGENT_MUTT
autolearn=ham version=2.50
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG
--61jdw2sOBCFtR2d/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Mar 24, 2003 at 09:52:32PM -0500, Scot wrote:
> Hi;=20
>=20
> Just setup my FreeBSD 4.7 Firewall using the docs=20
> outlined in the handbook.
>=20
What docs you have used to set up the firewall?
> The install went on and=20
> everything seems to be working fine then boom.=20
> The system seems to stop routing traffic. No=20
> messages in the security log or natd log as to why.=20
>=20
> I made sure it was logging by nmaping my box from the=20
> outside. I even ran natd in the foreground and it still didn't=20
> tell me what was going on.=20
>=20
> There is nothing in any logfile that tells me why this thing=20
> just stops working so I'm thinking it may not be a daemon but
> something in the kernel.=20
>=20
> I cannot ping the interface from the internal network but tcpdump shows=
=20
> the packets being received. (Hub network firewall_type=3DSIMPLE ).
> =20
> If I logon to the console the cable modem connection is still functioning=
=20
> and I can surf from the firewall.=20
>=20
> Any ideas on where to look next ??=20
>=20
>=20
> Cable modem using dhcp -> 192.168 home network on=20
> PPro w/280 MB ram.=20
> Intel Pro 10/100b/100+ Ethernet This card is a PCI card with 2 interfaces=
=2E=20
> Standard Xuser install + Kernel sources.=20
>=20
I've been through this just recently. Our "simple" prototype
is not production ready; if you just tune oip/iip/onet/inet,
etc., it won't allow your internal machines to talk outside.
The packet flow for a machine in ${inet}:${imask} talking outside
is as follows:
${inet}:${imask} -> some_host (in via ${iif})
${oip} -> some_host (out via ${oif}) (after NAT)
some_host -> ${inet}:${imask} (in via ${oif}) (after de-NAT)
some_host -> ${inet}:${imask} (out via ${iif})
(This assumes that you NAT using ${oip}, which is not always
the case.)
So, to make it work (if default is to "deny"), you need to add
the following rules at the end of the ruleset:
${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif}
${fwcmd} add pass ip from ${oip} to any out via ${oif}
${fwcmd} add pass ip from any to ${inet}:${imask}
Cheers,
--=20
Ruslan Ermilov Sysadmin and DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
--61jdw2sOBCFtR2d/
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+gB9HUkv4P6juNwoRAuVEAJwKQNXKyOo20kdomzarFxtB+NNmewCaA54Z
IDr48LIXgSaWSlZmbjNe19Q=
=MWIC
-----END PGP SIGNATURE-----
--61jdw2sOBCFtR2d/--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 25 22:58:39 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id D777737B412; Tue, 25 Mar 2003 22:58:38 -0800 (PST)
Received: from umh001.norfolk.va.infi.net (umr001.norfolk.va.infi.net
[209.97.16.105]) by mx1.FreeBSD.org (Postfix) with SMTP
id CA3034413E; Tue, 25 Mar 2003 22:42:12 -0800 (PST)
(envelope-from scotrn@cox.net)
Received: through eSafe SMTP Relay 1045752069; Wed Mar 26 01:32:39 2003
Received: from inf032 (ip68-0-39-132.hr.hr.cox.net [68.0.39.132])
h2Q6aWFo015624; Wed, 26 Mar 2003 01:36:33 -0500 (EST)
From: "Scot" <scotrn@cox.net>
To: "Ruslan Ermilov" <ru@FreeBSD.ORG>, "Scot" <scotrn@cox.net>
Date: Wed, 26 Mar 2003 01:29:34 -0500
Message-ID: <PAEEIJCHPFHEDADDGJFLKELMDNAA.scotrn@cox.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
In-reply-to: <20030325092007.GB73657@sunbay.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
X-Spam-Status: No, hits=-28.0 required=5.0
tests=EMAIL_ATTRIBUTION,HOT_NASTY,IN_REP_TO,MSGID_GOOD_EXCHANGE,
ORIGINAL_MESSAGE,QUOTED_EMAIL_TEXT,REPLY_WITH_QUOTES
autolearn=ham version=2.50
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
cc: FreeBSD Stable <stable@FreeBSD.ORG>
cc: ipfw@FreeBSD.ORG
Subject: SUMMARY: Natd stops working on Firewall
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Mar 2003 06:58:53 -0000
X-List-Received-Date: Wed, 26 Mar 2003 06:58:53 -0000
Thanks to all who posted. Thanks Ruslan for the answer !
Simpel fix as Ruslan Explained. just add ...
${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif}
${fwcmd} add pass ip from ${oip} to any out via ${oif}
${fwcmd} add pass ip from any to ${inet}:${imask}
at the end of the SIMPLE section of rc.firewall. I added them just before
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
[Cc][Ll][Oo][Ss][Ee][Dd])
Yes I know, Now that I know it works I need to make it more resticted.
The details of what started this thread.
Following the FreeBSD Online handbook at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
I setup my firewall (initially) using the following rc.conf subsettings
ifconfig_fxp0="DHCP"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="SIMPLE"
natd_enable="YES"
natd_interface="fxp0"
natd_flags=""
Added my DHCP ip and Local network to rc.firewall SIMPLE section and
wala. It worked. But only for a little while. No logs or anything as to
why...
Hence the post and kind response below.
Also:
I added 15 lines of code to rc.firewall to dynamicly handle a DHCP
address if you intrested here it is. I know my coding sucks but it works.
--------------------------------------------------------------------------
# set these to your outside interface network and netmask and ip
oif="fxp0"
eval CHDHCP=\${ifconfig_$oif}
if [ ${CHDHCP} = "DHCP" -a -r /var/db/dhclient.leases ];then
lease="/var/db/dhclient.leases"
oip=`grep fixed-address ${lease}|cut -d\; -f1|awk '{print
$2}'|tail -1`
omask=`grep subnet-mask ${lease}|cut -d\; -f1|awk '{print
$3}'|tail -1`
shortonet=`echo "$oip"|cut -d. -f1,2,3`
onet="$shortonet.0"
echo "DHCP onet = $onet"
echo "DHCP omask = $omask"
echo "DHCP oip = $oip"
sleep 4
else
# Add static address here
onet="xxx.xxx.xxx.0"
omask="255.255.255.0"
oip="xxx.xxx.xxx.xxx"
fi
-----Original Message-----
From: owner-freebsd-stable@FreeBSD.ORG
[mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of Ruslan Ermilov
Sent: Tuesday, March 25, 2003 4:20 AM
To: Scot
Cc: FreeBSD Stable; ipfw@FreeBSD.ORG
Subject: Re: Natd stops working on Firewall
On Mon, Mar 24, 2003 at 09:52:32PM -0500, Scot wrote:
> Hi;
>
> Just setup my FreeBSD 4.7 Firewall using the docs
> outlined in the handbook.
>
What docs you have used to set up the firewall?
> The install went on and
> everything seems to be working fine then boom.
> The system seems to stop routing traffic. No
> messages in the security log or natd log as to why.
>
> I made sure it was logging by nmaping my box from the
> outside. I even ran natd in the foreground and it still didn't
> tell me what was going on.
>
> There is nothing in any logfile that tells me why this thing
> just stops working so I'm thinking it may not be a daemon but
> something in the kernel.
>
> I cannot ping the interface from the internal network but tcpdump shows
> the packets being received. (Hub network firewall_type=SIMPLE ).
>
> If I logon to the console the cable modem connection is still functioning
> and I can surf from the firewall.
>
> Any ideas on where to look next ??
>
>
> Cable modem using dhcp -> 192.168 home network on
> PPro w/280 MB ram.
> Intel Pro 10/100b/100+ Ethernet This card is a PCI card with 2 interfaces.
> Standard Xuser install + Kernel sources.
>
I've been through this just recently. Our "simple" prototype
is not production ready; if you just tune oip/iip/onet/inet,
etc., it won't allow your internal machines to talk outside.
The packet flow for a machine in ${inet}:${imask} talking outside
is as follows:
${inet}:${imask} -> some_host (in via ${iif})
${oip} -> some_host (out via ${oif}) (after NAT)
some_host -> ${inet}:${imask} (in via ${oif}) (after de-NAT)
some_host -> ${inet}:${imask} (out via ${iif})
(This assumes that you NAT using ${oip}, which is not always
the case.)
So, to make it work (if default is to "deny"), you need to add
the following rules at the end of the ruleset:
${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif}
${fwcmd} add pass ip from ${oip} to any out via ${oif}
${fwcmd} add pass ip from any to ${inet}:${imask}
Cheers,
--
Ruslan Ermilov Sysadmin and DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 28 17:45:13 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 933CC37B401
for <freebsd-ipfw@freebsd.org>; Fri, 28 Mar 2003 17:45:09 -0800 (PST)
Received: from jumpgate.cpn.homeip.net (CPE-144-137-16-170.vic.bigpond.net.au
[144.137.16.170])
by mx1.FreeBSD.org (Postfix) with ESMTP id B553543FBD
for <freebsd-ipfw@freebsd.org>; Fri, 28 Mar 2003 17:45:07 -0800 (PST)
(envelope-from Carey.Nairn@dpac.tas.gov.au)
Received: from arcturus.dpac.tas.gov.au (arcturus.cpn.homeip.net [172.16.1.5])
h2T1j36R023957
for <freebsd-ipfw@freebsd.org>; Sat, 29 Mar 2003 12:45:04 +1100 (EST)
(envelope-from Carey.Nairn@dpac.tas.gov.au)
Message-Id: <5.1.0.14.0.20030329123307.040e9880@mail.cpn.homeip.net>
X-Sender: cpn@mail.cpn.homeip.net
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Sat, 29 Mar 2003 12:43:52 +1100
To: freebsd-ipfw@freebsd.org
From: Carey Nairn <Carey.Nairn@dpac.tas.gov.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: IPFW and ntpd
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Mar 2003 01:45:15 -0000
I am having a problem with getting ntpd to work with ipfw. Using my simple
firewall setup (based on the default /etc/rc.firewall), I get the following
error when I start ntpd:
ntpd_initres[23825]: send to NTP server failed: Permission denied
If I set my firewall to OPEN, ntpd works just fine.
My firewall configuration is executed whenever my PPP (ADSL) connection is
established and is as follows:
#!/bin/sh
fwcmd="/sbin/ipfw"
${fwcmd} -f flush
oif="tun0"
oip=`/sbin/ifconfig tun0 | grep -v grep | grep "inet " | awk '{ print $2 }'`
onet=$oip
omask="255.0.0.0"
iif="fxp0"
inet="172.16.1.0"
imask="255.255.255.0"
iip="172.16.1.4"
${fwcmd} add pass all from ${iip} to ${inet}:${imask}
${fwcmd} add pass all from ${inet}:${imask} to ${iip}
# Deny incoming ICMP requests
${fwcmd} add deny log icmp from any to any in via ${oif} icmptypes 8
# Allow outgoing ICMP requests
${fwcmd} add pass icmp from any to any out via ${oif} icmptypes 8
${fwcmd} add pass icmp from any to any in via ${oif} icmptypes 0
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop draft-manning-dsua-01.txt nets on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow access to ssh
${fwcmd} add pass tcp from any to ${oip} 22 setup
${fwcmd} add pass tcp from any to ${oip} 22
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from any 53 to ${oip}
${fwcmd} add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state
any thoughts on why the ntp rule fails?
thanks
Carey Nairn