Site Navigation

Date:      Sat, 16 Dec 2000 16:22:15 -0800
From:      Boris <koester@x-itec.de>
To:        Matthias Heidbrink <mh@cs.tu-berlin.de>
Cc:        freebsd-isdn@FreeBSD.ORG
Subject:   Re[2]: Firewall Problem with i4b 0.90.1 / FreeBSD 4.0 - Sample configuration?
Message-ID:  <44177482936.20001216162215@x-itec.de>
In-Reply-To: <20001216135348.A29752@nicky.cs.tu-berlin.de>
References:  <20001215211303.C25371@nicky.cs.tu-berlin.de> <31110682042.20001215214854@x-itec.de> <20001216135348.A29752@nicky.cs.tu-berlin.de>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Hello Matthias,

Saturday, December 16, 2000, 4:53:49 AM, you wrote:

Ok, let´s take a look. The ruleset is not bad at all, but I think we
should begin with a smaller ruleset first. After that, we will do some
enchancements like "Ping protection" and "Traceroute protection", anti
spoofing, and so on. There are some entries in your ruleset that may
give you some trouble, so we create a basic ruleset first. After that,
we will enhance it later if everything works on your machine.

MH> I'm curious what you'll find out.

Ok, let´s go on -) Maybe i will write a litte IPFW HOWTO for
FreeBSD-OS soon, we well see (my personal howto, hosted on my domain,
accessible for everyone). I will use this mail as a template for the
howto.

We are using our own script improving our firewall, we will begin with
a litte one to see that everything is working.

You should start the following script. If you are starting it
remotely, it could be happen that you will be disconnected and you
have to relogin (it´s the question how fast are the rules processed).

filename: nat.bat

ipfw -f flush
ipfw add divert natd all from any to any via isp0

ipfw add pass all from any to any
ipfw add pass all from any to any
ipfw add pass tcp from any to any
ipfw add pass udp from any to any
ipfw show
natd -interface isp0

---------------
The NAT script is fired up by the upcoming isdn script below. It´s
possible that the last line reports something like "natd is already
using the address.." or similar. Ignore it.

This is your new firewall-script, we will enhance it later. Normally,
a server should be well protected first, before applying a firewall
script. A ipfw ruleset is the top of the tree. Normally you have to go
sure that no one can break into your network first, even without your
ipfw script but this is another history -)

Well, let´s go. Now, weaponed with our ipfw script we have maybe still
the problem that we will get a permission denied if we want to use
isdn. Our NAT Daemon is a little bit confused, so we have to do some
nice trickys.

Here we have a fast and dirty script to establish an ISDN connection.
It resets some drivers and so on to be sure that everything works. We
have some sleep commands to give enough time for the daemons to reset.
The script will produce some "bla not found" or similar things, ignore
them.

This script can be used to reinitialise the isdn connection, too if
neccessary. And remember. Ignore any strange messages, let the script
running.

------------------------------------------------------------
filename: isdn.bat

echo PID ISDND
isp=`cat /var/run/isdnd.pid`
echo $isp
kill $isp
sleep 5
echo Starte ISDN Daemon neu
isdnd
echo done.
sleep 5
echo PID Nat..
pid=`cat /var/run/natd.pid`
echo $pid
echo Kill NAT
kill $pid
sleep 10
echo Checke NAT:
pid=`cat /var/run/natd.pid`
echo $pid
sleep 2
echo -n 'Configuring ISPPP to T-Offline:'
echo -n ' spppcontrol';
echo "ifconfig down"
ifconfig isp0 delete -link1 down
sleep 5
route flush
sleep 5
echo "ispppcontrol settings..."
ispppcontrol isp0 myauthproto=pap
ispppcontrol isp0 myauthname="DEINE BENUTZERKENNUNG"
ispppcontrol isp0 myauthsecret="DEIN PASSWORT"
sleep 5
echo "ifconfig setup"
ifconfig isp0 0.0.0.0 0.0.0.1 netmask 255.255.255.255 link1 debug
sleep 5
echo -n ' up';
ifconfig isp0
route add 0.0.0.0 0.0.0.1
netstat -nra
sleep 5
natd -interface isp0
./nat.bat
-----------------------------------------------------

Some very important entries of this script are
- RESETTING THE NAT DAEMON
- RESETTING THE ISDN DAEMON
- DOING SOME TRICKY WITH ROUTING (route add 0.0.0.0 0.0.0.1)

Now, if the isdn connection establishes, we could still have the
problem (it is possible, but it must not be) of a "permission denied", because our nat daemon is still not
awake.

So, we will take a clother look at the isdnd.rc script and we will look
at a script that resets the nat-daemon too.

------------------------------
filename: isdnd.rc located in /etc/isdn

system
ratesfile       = /etc/isdn/isdnd.rates # name & location of rates file
useacctfile     = yes                   # generate accouting info to file
acctall         = on                    # generate info for everything
acctfile        = /var/log/isdnd.acct   # name & location of accounting file
rtprio          = 25                    # modify isdnd's priority
regexpr         = "call active"         # look for matches in log messages
regprog         = hup_natd              # execute program whan match is found

entry
name                    = T-Offline
usrdevicename           = isp
usrdeviceunit           = 0
isdncontroller          = 0
isdnchannel             = -1
local-phone-incoming    = *
remote-phone-incoming   = *
local-phone-dialout     = 4711 (put your phone-number here!completely!)
remote-phone-dialout    = 0191011
remdial-handling        = first
dialin-reaction         = ignore
dialout-type            = normal
b1protocol              = hdlc
idletime-incoming       = 240
idletime-outgoing       = 360
ratetype                = 0
unitlength              = 90
unitlengthsrc           = aocd
dialretries             = -1
dialrandincr            = on
recoverytime            = 2
usedown                 = off
downtries               = 2
downtime                = 30

----------------------------------------------

This is a working script for t-online. Now, we will take a clother
look to our nat-reset-script, named "hup_natd", located in /etc/isdn/
(we will create it now). I don´t know if the
script above works with your i4b version, try it out. If not, run the
hup_natd script manually after establishing an ISDN connection.

---------------------------------------
filename: hup_natd located in /etc/isdn

#!/bin/sh
pid=`cat /var/run/natd.pid`
echo Prozess-ID fuer NAT-D: $pid
kill -HUP $pid
sleep 3
kill -HUP $pid
sleep 5
kill -HUP $pid
sleep 30
kill -HUP $pid
sleep 60
kill -HUP $pid
---------------------------

Now, a very interesting question is, why to use these sleeps and why
we are doing this several times. If we are sending the HUP signal to
the NAT daemon, it needs some time to process. Sometimes, the daemon
is still not working, and we have to use fire up the HUP signal again.
This will be done in the background if the isdn connection
establishes.

Now, we have a complete set of scripts to get up and running isdn with
NAT. If it works, we will go a step clother to setup your ruleset.


--
Boris [MCSE, CNA]
...................................................................
 X-ITEC : Consulting * Programming * Net-Security * Crypto-Research
........: [PRIVATE ADDRESS:] 
        : Boris Köster eMail koester@x-itec.de http://www.x-itec.de 
        : Grüne 33-57368 Lennestadt Germany Tel: +49 (0)2721 989400
        : 101 % PERFECTION - SECURITY - STABILITY - FUNCTIONALITY 
........:..........................................................

Everything I am writing is (c) by Boris Köster and may not be 
rewritten or distributed in any way without my permission.              




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isdn" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44177482936.20001216162215>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact