Dialin server and IPFW

From owner-freebsd-isp Wed Mar 28 1:34:50 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mailsweeper.qdc-ec.co.za (gauntlet.mccarthy.co.za [196.26.24.1]) by hub.freebsd.org (Postfix) with SMTP id 530F037B71A for ; Wed, 28 Mar 2001 01:34:32 -0800 (PST) (envelope-from niekie@rcf.co.za) Received: from ntzn2.rainbow.co.za (unverified) by mailsweeper.qdc-ec.co.za (Content Technologies SMTPRS 4.2.1) with ESMTP id for ; Wed, 28 Mar 2001 11:40:25 +0200 Received: by ntzn2-ip2.rainbow.co.za with Internet Mail Service (5.5.2650.21) id ; Wed, 28 Mar 2001 11:32:09 +0200 Message-ID: From: "Niekie Myburgh (QData)" To: "'freebsd-isp@freebsd.org'" Subject: Dialin server and IPFW Date: Wed, 28 Mar 2001 11:36:10 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0B76A.85BF0A40" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0B76A.85BF0A40 Content-Type: text/plain; charset="iso-8859-1" I'm busy setting up a dialin server on my network (Like an ISP type setup) to allow selected users do dial in, and access mail, telnet to other Unix boxes, ftp to those boxes, etc. Problem is that this dialin box is sitting directly on my network, and I need to protect the network from possible hack attempts. The dialin part works without problems (although my 56K modems only connect at 33.6 Kb, where on RedHat, I got 52K on the same machine). The problem I have is this: [Win95} -> [FreeBSD 4.2]-> [ipfw] -> [other network hosts] 10.0.0.2 10.0.0.1:172.27.xxx.xxx 172.27.xxx.xxx Start the machine with firewall_enabled="YES" and firewall_type="OPEN", and all works well. Set firewall_type="CUSTOM", and the following happen: The modem picks up (Auto-Answer on the modem) The connection aborts (MS Win 95, in all it's wisdom, tels me that the remote machine is not answering) Am I blocking getty & ppp from answering as well(is this possible??)? Any suggestions welcome. Niekie Myburgh Q-Data Consulting South-Africa ############################################################################ #### ####### Firewall for Dialup!! ################################################## ############################################################################ #### [Cc][Uu][Ss][Tt][Oo][Mm]) ##### External Interface - Local Network oif="xl0" onet="172.27.xxx.0" omask="255.255.255.0" oip="172.27.xxx.xxx" ##### Internal Interface - PPP iif="tun0" inet="10.0.0.0" imask="255.255.255.0" iip="10.0.0.1" ##### DNS Addresses dns1="172.27.xxx.2" dns2="172.27.xxx.8" ntp1="" #### Stop Spoofing $fwcmd add 110 deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add 110 deny all from ${onet}:${omask} to any in via ${iif} #### Stop Private Networks from crossing the Firewall #$fwcmd add 120 deny log all from 192.168.0.0:255.255.0.0 to any in recv ${oif} #$fwcmd add 120 deny log all from 172.16.0.0:255.255.0.0 to any in recv ${oif} #$fwcmd add 120 deny log all from 10.0.0.0:255.0.0.0 to any in recv ${oif} #### Enable NAT ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} ##### Allow any packet from inside (PPP) to go to outside (network) - NO! Disable. ##### We will custmise this in the next section! ##### Admin machine access $fwcmd add 130 pass tcp from 172.27.xxx.251 to 172.27.xxx.253 # Allow any IP packets to pass on the inside interface - NO! $fwcmd add 140 pass all from any to any via ${iif} ## Allow established TCP from Outside (Network) #$fwcmd add 150 pass tcp from any to ${iif} in recv ${oif} established #### The fixed version: #### Telnet $fwcmd add 131 pass tcp from ${iif} to hpzn1 23 out xmit ${oif} $fwcmd add 132 pass tcp from ${iif} to hpnr1 23 out xmit ${oif} $fwcmd add 133 pass tcp from ${iif} to hpcs1 23 out xmit ${oif} $fwcmd add 134 pass tcp from ${iif} to hpcs2 23 out xmit ${oif} $fwcmd add 135 pass tcp from ${iif} to hpwc1 23 out xmit ${oif} #### FTP #$fwcmd add 141 pass tcp from ${iif} to hpnr1 21 out xmit ${oif} #$fwcmd add 142 pass tcp from ${iif} to hpzn1 21 out xmit ${oif} #$fwcmd add 143 pass tcp from ${iif} to hpcs1 21 out xmit ${oif} #$fwcmd add 144 pass tcp from ${iif} to hpcs2 21 out xmit ${oif} #$fwcmd add 145 pass tcp from ${iif} to hpwc1 21 out xmit ${oif} #### MAIL #$fwcmd add 151 pass tcp from ${iif} to ntzn2 25 out xmit ${oif} #$fwcmd add 152 pass tcp from ${iif} to ntnr2 389 out xmit ${oif} #$fwcmd add 153 pass tcp from ${iif} to ntnr2 110 out xmit ${oif} #### Others #$fwcmd add 200 pass tcp from any to ${oip} 25 #$fwcmd add 201 pass tcp from any to ${oip} 23 #$fwcmd add 300 pass log tcp from ${inet} to ${oip} 23 in recv ${oif} setup #$fwcmd add 301 pass log tcp from ${onet} to ${oip} 23 in recv ${oif} setup #$fwcmd add 350 pass tcp from any to ${oip} 80,443 ##### DNS $fwcmd add 410 pass udp from ${dns1} 53 to any 1024-65535 in recv ${oif} $fwcmd add 420 pass udp from ${dns2} 53 to any 1024-65535 in recv ${oif} $fwcmd add 430 pass tcp from any 53 to ${inet}:${imask} $fwcmd add 430 pass udp from any 53 to ${inet}:${imask} ##### ICMP $fwcmd add 1000 pass icmp from any to any via ${iif} $fwcmd add 1000 pass icmp from any to any via ${oif} $fwcmd add 1010 pass icmp from any to any in recv ${oif} icmptypes 0 $fwcmd add 1010 pass icmp from any to any out xmit ${oif} icmptypes 8 ##### Tracetoute $fwcmd add 1020 pass icmp from any to any in recv ${oif} icmptypes 3 $fwcmd add 1020 pass icmp from any to any in recv ${oif} icmptypes 11 ##### Block the rest $fwcmd add 65532 deny udp from any to any $fwcmd add 65533 deny icmp from any to any $fwcmd add 65534 deny log ip from any to any ;; ------_=_NextPart_001_01C0B76A.85BF0A40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dialin server and IPFW

I'm busy setting up a dialin server on my network = (Like an ISP type setup) to allow selected users do dial in, and access = mail, telnet to other Unix boxes, ftp to those boxes, etc. = Problem is that this dialin box is sitting directly on my network, and = I need to protect the network from possible hack attempts.

The dialin part works without problems (although my = 56K modems only connect at 33.6 Kb, where on RedHat, I got 52K on the = same machine). The problem I have is this:

[Win95} -> [FreeBSD 4.2]-> [ipfw] -> [other = network hosts]
10.0.0.2 = 10.0.0.1:172.27.xxx.xxx 172.27.xxx.xxx

Start the machine with = firewall_enabled=3D"YES" and = firewall_type=3D"OPEN", and all works well. Set = firewall_type=3D"CUSTOM", and the following = happen:

The modem picks up (Auto-Answer on the modem)
The connection aborts (MS Win 95, in all it's = wisdom, tels me that the remote machine is not answering)

Am I blocking getty & ppp from answering as = well(is this possible??)?

Any suggestions welcome.

Niekie Myburgh
Q-Data Consulting
South-Africa

###############################################################= #################
####### Firewall for Dialup!! = ##################################################
###############################################################= #################
[Cc][Uu][Ss][Tt][Oo][Mm])

##### External Interface - Local Network
oif=3D"xl0"
onet=3D"172.27.xxx.0"
omask=3D"255.255.255.0"
oip=3D"172.27.xxx.xxx"

##### Internal Interface - PPP
iif=3D"tun0"
inet=3D"10.0.0.0"
imask=3D"255.255.255.0"
iip=3D"10.0.0.1"

##### DNS Addresses
dns1=3D"172.27.xxx.2"
dns2=3D"172.27.xxx.8"
ntp1=3D""

#### Stop Spoofing
$fwcmd add 110 deny all from ${inet}:${imask} to any = in via ${oif}
$fwcmd add 110 deny all from ${onet}:${omask} to any = in via ${iif}

#### Stop Private Networks from crossing the = Firewall
#$fwcmd add 120 deny log all from = 192.168.0.0:255.255.0.0 to any in recv ${oif}
#$fwcmd add 120 deny log all from = 172.16.0.0:255.255.0.0 to any in recv ${oif}
#$fwcmd add 120 deny log all from 10.0.0.0:255.0.0.0 = to any in recv ${oif}

#### Enable NAT
${fwcmd} add 50 divert natd all from any to any via = ${natd_interface}

##### Allow any packet from inside (PPP) to go to = outside (network) - NO! Disable.
##### We will custmise this in the next section!
##### Admin machine access
$fwcmd add 130 pass tcp from 172.27.xxx.251 to = 172.27.xxx.253
# Allow any IP packets to pass on the inside = interface - NO!
$fwcmd add 140 pass all from any to any via = ${iif}
## Allow established TCP from Outside = (Network)
#$fwcmd add 150 pass tcp from any to ${iif} in recv = ${oif} established

#### The fixed version:
#### Telnet
$fwcmd add 131 pass tcp from ${iif} to hpzn1 23 out = xmit ${oif}
$fwcmd add 132 pass tcp from ${iif} to hpnr1 23 out = xmit ${oif}
$fwcmd add 133 pass tcp from ${iif} to hpcs1 23 out = xmit ${oif}
$fwcmd add 134 pass tcp from ${iif} to hpcs2 23 out = xmit ${oif}
$fwcmd add 135 pass tcp from ${iif} to hpwc1 23 out = xmit ${oif}
#### FTP
#$fwcmd add 141 pass tcp from ${iif} to hpnr1 21 out = xmit ${oif}
#$fwcmd add 142 pass tcp from ${iif} to hpzn1 21 out = xmit ${oif}
#$fwcmd add 143 pass tcp from ${iif} to hpcs1 21 out = xmit ${oif}
#$fwcmd add 144 pass tcp from ${iif} to hpcs2 21 out = xmit ${oif}
#$fwcmd add 145 pass tcp from ${iif} to hpwc1 21 out = xmit ${oif}
#### MAIL
#$fwcmd add 151 pass tcp from ${iif} to ntzn2 = 25 out xmit ${oif}
#$fwcmd add 152 pass tcp from ${iif} to ntnr2 = 389 out xmit ${oif}
#$fwcmd add 153 pass tcp from ${iif} to ntnr2 = 110 out xmit ${oif}

#### Others
#$fwcmd add 200 pass tcp from any to ${oip} = 25
#$fwcmd add 201 pass tcp from any to ${oip} = 23
#$fwcmd add 300 pass log tcp from ${inet} to ${oip} = 23 in recv ${oif} setup
#$fwcmd add 301 pass log tcp from ${onet} to ${oip} = 23 in recv ${oif} setup
#$fwcmd add 350 pass tcp from any to ${oip} = 80,443

##### DNS
$fwcmd add 410 pass udp from ${dns1} 53 to any = 1024-65535 in recv ${oif}
$fwcmd add 420 pass udp from ${dns2} 53 to any = 1024-65535 in recv ${oif}
$fwcmd add 430 pass tcp from any 53 to = ${inet}:${imask}
$fwcmd add 430 pass udp from any 53 to = ${inet}:${imask}

##### ICMP
$fwcmd add 1000 pass icmp from any to any via = ${iif}
$fwcmd add 1000 pass icmp from any to any via = ${oif}
$fwcmd add 1010 pass icmp from any to any in recv = ${oif} icmptypes 0
$fwcmd add 1010 pass icmp from any to any out xmit = ${oif} icmptypes 8

##### Tracetoute
$fwcmd add 1020 pass icmp from any to any in recv = ${oif} icmptypes 3
$fwcmd add 1020 pass icmp from any to any in recv = ${oif} icmptypes 11

##### Block the rest
$fwcmd add 65532 deny udp from any to any
$fwcmd add 65533 deny icmp from any to any
$fwcmd add 65534 deny log ip from any to any
;;

------_=_NextPart_001_01C0B76A.85BF0A40-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message