From owner-freebsd-net@FreeBSD.ORG Sun Oct 23 00:18:05 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6433B16A41F for ; Sun, 23 Oct 2005 00:18:05 +0000 (GMT) (envelope-from jay@codegurus.org) Received: from ptb-relay01.plus.net (ptb-relay01.plus.net [212.159.14.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC4F743D45 for ; Sun, 23 Oct 2005 00:18:04 +0000 (GMT) (envelope-from jay@codegurus.org) Received: from jayton.plus.com ([84.92.156.191] helo=[127.0.0.1]) by ptb-relay01.plus.net with esmtp (Exim) id 1ETTYm-0006HZ-3S; Sun, 23 Oct 2005 01:18:01 +0100 Message-ID: <435AD6B5.9050109@codegurus.org> Date: Sun, 23 Oct 2005 01:17:57 +0100 From: Jayton Garnett User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: andy@triera.net References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Problem with firewall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 00:18:05 -0000 Andy Rozman (Aleksander) wrote: >Hi ! > >I am sorry to post this message here, but I think that there are a lot of >gurus here, who could help me without a problem. > >Tilll now I was running ipfw with rule that allows all packets (from kernel) >to pass through. In last few weeks I started having problems, since I got >quite a lot of packets that server accepted by default. > >So I removed this kernel directive out, but now I have problem, that I don't >know how to set rules. I have on my FreeBSD box two NICs, one for outside >internet, and one for internal network, so I am using this machine as router, >and as web server,... > >Problem is that I don't know how to set the rules so that ipfw will allow all >directives from inside network to go out, and receive replies. Please send me >working config. I tried several configs I found on net, but none of them seem >to work... It would probably also be nice to put one working natd + ipfw >confguration somewhere in handbook. > >Please help. >Andy > >P.S: I applied for memebership to list, but I don't know how fast this will be >procesed, so please cc to my email. > > Hello Andy, Last night I faced a similar problem since ndiscvt on fbsd 5.4 64bit would not procude the required ndis_driver_data.h file for my wifi card, ndiscvt produced it on fbsd 5.4 x86, so a friend helped me out and I kind of understand what you need. I didn't get mine working because i'm too impatient and my internet connection went down for a few minutes, in that time I dug out my hub/cat5 patch cables and ran them to my router instead of going something like this: Main PC --> Gateway --> Router --> Internet It now goes like this (and so does the rest of the network): Main PC --> Router --> Internet Presuming you are using a cable modem with no router in between it and your server/router. Hope it works for you! Cheers, Jayton in your /etc/rc.conf you should have something like this: gateway_enable="YES" hostname="yourdomain.com" ifconfig_rl0="DHCP" ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" defaultrouter="192.168.0.1" # firewall stuff firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_quiet="NO" firewall_flags="" # natd stuff natd_enable="YES" natd_interface="rl0" natd_flags="-f /etc/natd.conf" in your /etc/natd.conf interface rl0 redirect_port tcp 192.168.0.3:2090 2090 redirect_port tcp 192.168.0.3:2091 2091 redirect_port tcp 192.168.0.3:2092 2092 redirect_port tcp 192.168.0.3:2093 2093 redirect_port tcp 192.168.0.3:2094 2094 redirect_port tcp 192.168.0.3:2095 2095 redirect_port udp 192.168.0.3:2090 2090 redirect_port udp 192.168.0.3:2091 2091 redirect_port udp 192.168.0.3:2092 2092 redirect_port udp 192.168.0.3:2093 2093 redirect_port udp 192.168.0.3:2094 2094 redirect_port udp 192.168.0.3:2095 2095 redirect_port tcp 192.168.0.3:2000 2000 redirect_port tcp 192.168.0.3:2001 2001 redirect_port tcp 192.168.0.3:2002 2002 redirect_port tcp 192.168.0.3:2003 2003 redirect_port tcp 192.168.0.3:2004 2004 redirect_port udp 192.168.0.3:2000 2000 redirect_port udp 192.168.0.3:2001 2001 redirect_port udp 192.168.0.3:2002 2002 redirect_port udp 192.168.0.3:2003 2003 redirect_port udp 192.168.0.3:2004 2004 in your /etc/rc.firewall in /etc if it does not exist and add this in and see what happens #!/bin/sh # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. fwcmd="/sbin/ipfw" # set these to your outside interface network and netmask and ip oif="rl0" iif="rl1" inet="192.168.0.2" imask="255.255.255.0" iip="192.168.0.2" ############ # Flush out the list before we begin. # ${fwcmd} -f flush ############ # mandatory # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} # exempt everything behind the firewall from this rules set $fwcmd add pass ip from any to any via sis1 # allow all internal traffic #turn on statefull firewall ${fwcmd} add check-state # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. $fwcmd add allow tcp from any to any established # Deny IP fragments to pass through #${fwcmd} add deny all from any to any frag ################################################################################ # allow outoing connexions to specified TCP ports # ################################################################################ #allow everything ${fwcmd} add pass tcp from any to any 1-65535 out via ${oif} setup keep-state ${fwcmd} add pass udp from any to any 1-65535 out via ${oif} setup keep-state # Allow setup of http to the outside ${fwcmd} add pass tcp from any to any 80 out via ${oif} setup keep-state # Allow setup of ssh to the outside ${fwcmd} add pass tcp from any to any 22 out via ${oif} setup keep-state # Allow setup of CVSUP to the outside ${fwcmd} add allow tcp from any to any 5999 out via ${oif} setup keep-state # Allow GRE (IPSEC) ${fwcmd} add pass gre from any to any keep-state # Allow setup of https to the outside #${fwcmd} add pass tcp from any to any 443 out via ${oif} setup keep-state # Allow setup of ftp to the outside ${fwcmd} add pass tcp from any to any 21 out via ${oif} setup keep-state #${fwcmd} add pass tcp from any to any 49152-65535 out via ${oif} setup keep-state # Allow setup of pop to the outside (my isp 1) ${fwcmd} add pass tcp from any to any 110 out via ${oif} setup keep-state # Allow setup of smtp to the outside (isp 1) ${fwcmd} add pass tcp from any to any 25 out via ${oif} setup keep-state # Allow setup of news to the outside ${fwcmd} add pass tcp from any to any 119 out via ${oif} setup keep-state # Allow setup of time to the outside ${fwcmd} add pass tcp from any to any 37 out via ${oif} setup keep-state # Allow DNS queries out to my ISP's DNSs ${fwcmd} add pass udp from any to any 53 out via ${oif} keep-state # Allow answers to DNS queries from my ISP ${fwcmd} add pass udp from any 53 to any in via ${oif} keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${oif} keep-state # Allow answers to NTP queries from my NTP server ${fwcmd} add pass udp from any 123 to any 123 in via ${oif} keep-state ################################################################################ # allow incoming connections from the internet to those specified ports # ################################################################################ # Allow access to our SSH server (which also listens on 443) ${fwcmd} add pass log tcp from any to me 22 in via ${oif} setup keep-state ${fwcmd} add pass log tcp from any to me 119 in via ${oif} setup keep-state #Allow access to ftp server (passive mode) from the internet $fwcmd add allow tcp from any to me 21 in via ${oif} keep-state $fwcmd add allow tcp from any to me 20 in via ${oif} keep-state $fwcmd add allow tcp from any to me 49152-65535 in via ${oif} keep-state # Allow access to our httpd $fwcmd add allow tcp from any to me 80 in via ${oif} keep-state $fwcmd add allow tcp from any to me 8080 in via ${oif} keep-state #Allow access to pop and sendmail $fwcmd add allow tcp from any to me 25 in via ${oif} keep-state $fwcmd add allow tcp from any to me 110 in via ${oif} keep-state #allow ident requests $fwcmd add allow tcp from any to me 113 in via ${oif} keep-state ################################################################################ # default to catch all the rest # ################################################################################ # Stop & log spoofing Attack attempts. # Examine incoming traffic for packets with both a source and destination # IP address in my local domain as per CIAC prevention alert. $fwcmd add deny log ip from me to me in via $oif # Reject peer-to-peer traffic incoming connections without logging ${fwcmd} add deny tcp from any to any 137-139 in via ${oif} ${fwcmd} add deny tcp from any to any 3306 in via ${oif} ${fwcmd} add deny tcp from any to any 6000 in via ${oif} # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Reject&Log all incoming datagrams from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} # Stop & log ping echo attacks # stop echo reply (ICMP type 0), and echo request (type 8). $fwcmd add deny log icmp from any to me in via $oif