Date: Wed, 28 Apr 1999 17:21:32 -0700 From: Christoff Snijders <hjcs@home.com> To: freebsd-questions@FreeBSD.org Subject: ipfw rules Message-ID: <3727A604.55A107A@home.com>
next in thread | raw e-mail | index | archive | help
Hi, all
Apologies in advance for the long posting. This message is a copy of
part of one I posted to comp.unix.bsd.freebsd.misc. I was searching
through the archives for this mailing list, and found several posts
about ipfw, but no information that helped me fix my problem, so I
thought I'd post to this mailing list, too.
I'm very new to this whole ipfw thing and have limited knowledge of
TCP/IP. I've searched through the man pages, the handbook, the FAQ, and
dejanews, but I haven't found the answers to my problem (or, not in a
way I could understand, anyway). I need some help with the ipfw rules.
I have a very simple setup: one FreeBSD 2.2.5-RELEASE box with two
Ethernet cards in it. One card is connected to a cable modem with a
static IP address, the other is connected to a hub, which is in turn
connected to several computers on an internal network.
If I remove all the ipfw rules and allow access from anything to
anything, with traffic diverted through natd on port 6668, all the
machines on the network can access the net, but the firewall is useless
(non-existant).
If I use the standard, simple rules in rc.firewall, the console user can
access the Internet, but none of the users on the internal network can.
I've printed the whole rule set I'm using, below. I seem to be
getting the message natd: failed to write packet back (Permission
denied) every time one of the hosts on the internal network tries to
access the net. Am I right that the reason for this is that natd can
send packets out through ed2 (the Ethernet card connected to the cable
modem), but natd is somehow being prevented from sending packets back?
Which of
my rules should I change (and, if you could tell me how, I'd be
grateful), or what rule should I add to prevent this problem?
Thanks so much in advance for any help you can provide.
Christoff Snijders.
# set these to your outside interface network and netmask and ip
oif="ed2"
onet="123.456.789.1"
omask="255.255.252.0"
oip="123.456.678.22"
# set these to your inside interface network and netmask and ip
iif="ed1"
inet="192.168.2.0"
imask="255.255.255.0"
iip="192.168.2.1"
# divert traffic to natd (I added this)
/sbin/ipfw add divert natd all from any to any via ed2
# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow setup of incoming email
$fwcmd add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
$fwcmd add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
# Everything else is denied as default.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3727A604.55A107A>