From owner-freebsd-questions@FreeBSD.ORG  Fri Sep 29 08:28:43 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B5B4316A403
	for <freebsd-questions@freebsd.org>;
	Fri, 29 Sep 2006 08:28:43 +0000 (UTC)
	(envelope-from youshi10@u.washington.edu)
Received: from mxout7.cac.washington.edu (mxout7.cac.washington.edu
	[140.142.32.178])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4650743D46
	for <freebsd-questions@freebsd.org>;
	Fri, 29 Sep 2006 08:28:43 +0000 (GMT)
	(envelope-from youshi10@u.washington.edu)
Received: from smtp.washington.edu (smtp.washington.edu [140.142.32.139])
	by mxout7.cac.washington.edu (8.13.7+UW06.06/8.13.7+UW06.03) with ESMTP
	id k8T8SgGv001533
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <freebsd-questions@freebsd.org>; Fri, 29 Sep 2006 01:28:42 -0700
X-Auth-Received: from [192.168.0.101] (dsl254-013-145.sea1.dsl.speakeasy.net
	[216.254.13.145]) (authenticated authid=youshi10)
	by smtp.washington.edu (8.13.7+UW06.06/8.13.7+UW06.03) with ESMTP id
	k8T8Sgn1010504
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <freebsd-questions@freebsd.org>; Fri, 29 Sep 2006 01:28:42 -0700
Message-ID: <451CD93E.70603@u.washington.edu>
Date: Fri, 29 Sep 2006 01:28:46 -0700
From: Garrett Cooper <youshi10@u.washington.edu>
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-PMX-Version: 5.2.0.266434, Antispam-Engine: 2.4.0.264935,
	Antispam-Data: 2006.9.29.10442
X-Uwash-Spam: Gauge=IIIIIII, Probability=7%, Report='__CT 0, __CTE 0,
	__CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0,
	__MIME_VERSION 0, __SANE_MSGID 0, __USER_AGENT 0'
Subject: Issues with configuring IPFW for NAT setup
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Sep 2006 08:28:43 -0000

    I'm trying to configure a lightweight router/gateway just to block 
bad SMTP requests; many virii/spyware apps on Windoze boxes on my 
network have forced our ISP to almost shut us down more than once now 
because people don't know how to manage their machines =\.
    The problem with my config is that all that's going through the NAT 
machine are ICMP packets (?!). Weird..
    Anyhow, here's the ipfw configuration so far:

#!/bin/sh

# comment the line below and uncomment the line following that if you 
just want to test the rule output
cmd_flags="-f"
#cmd_flags="-n"
cmd="ipfw $cmd_flags"
cmd_a="$cmd add"
cmd_d="$cmd del"
ks="keep-state"

# just macros to simplify typing/reading
fata="from any to any"
aafat="allow all from any to"
daf="deny all from"
dafat="$daf any to"

prif="fxp0"
puif="xl0"

# trusted subnet
tsu="192.168.1.0/24"
# untrusted subnet
usu="192.168.0.0/24"

bad_ports="81, 113, 137-139, 445, 901, 1026, 1433-1434, 1900, 2283, 
2869, 3389, 5000, 8080"     # IRC IDENT, HTTP, Sun RPC ports, uPnP 
ports, RDP ports, etc
virus_ports="1080, 2283, 2535, 2745, 3127-3198, 3410, 5554, 8866, 
9898"                         # See /root/ports.html for a short list 
with explanations

$cmd -f flush

$cmd_a 001 $aafat any via lo*

$cmd_a 050 divert natd ip from any to me in via $puif # Properly direct 
all incoming NAT redirects

$cmd_a 081 $daf 172.16.0.0/12 to any # reserved IPs
$cmd_a 082 $daf 10.0.0.0/8 to any # reserved IPs
$cmd_a 083 $daf 127.0.0.0/8 to any # loopback
$cmd_a 084 $daf 0.0.0.0/8 to any # broadcast
$cmd_a 085 $daf 169.254.0.0/16 to any # auto-DHCP
$cmd_a 086 deny tcp from 224.0.0.0/3 to any # deny multicast TCP support

# private subnet firewall rules -- allow incoming SSH, HTTP, and HTTP-SSL
$cmd_a 160 allow all from any to me 22, 68-69, 80, 443 via $prif

# public SSH rules
$cmd_a 170 allow all from any to me 22 via $puif
$cmd_a 171 deny all from any to me 22, 68-69, 80, 443 via $puif

# SMTP rules -- basically allow SMTP traffic on port 25 to UW, Comcast, 
and Earthlink clients; block the rest to prevent mass spamming       
$cmd_a 200 $aafat smtp.washington.edu 25 out via $puif
$cmd_a 201 $aafat smtp.comcast.net 25 out via $puif
$cmd_a 202 $aafat smtp.earthlink.net 25 out via $puif
$cmd_a 203 $dafat any 25 out via $puif

$cmd_a 400 $dafat any $bad_ports, $virus_ports via $puif
# deny any TCP traffic trying to be forwarded on ports 10000-65535. 
Don't block UDP since MSN and other services like to randomly allocate 
ports in this range for UDP use.
$cmd_a 401 deny tcp $fata 10000-65535

$cmd_a 600 divert natd all from $tsu to any out via $puif # For outbound 
NAT translation

$cmd_a 605 deny all from $usu to not me via $prif

$cmd_a 611 allow all $fata

Some additional helpful information:

FreeBSD router:
su-2.05b# uname -a
FreeBSD hummer.localdomain 6.1-RELEASE-p5 FreeBSD 6.1-RELEASE-p5 #10: 
Wed Sep 27 00:17:54 PDT 2006     
root@hummer.localdomain:/usr/obj/usr/src/sys/HUMMER  i386
su-2.05b# sysctl -n net.inet.ip.forwarding
1

    Another interesting thing is that it appears that I've totally 
screwed up my TCP configuration or something (or firewalled a bunch of 
ports), so my machine cannot access the outside world (even from 
localhost). The only thing that appears to be working is DNS resolving.. =\.

My routing tables:

su-2.05b# netstat -r -f inet
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.1        UGS         0     2389    xl0
localhost          localhost          UH          0        2    lo0
192.168.0          link#2             UC          0        0    xl0
192.168.0.1        00:09:5b:56:c4:b4  UHLW        2        0    xl0   1175
hoover             00:0a:e6:47:73:c7  UHLW        1        2    xl0    957
sprsd              00:e0:7d:f7:6e:2e  UHLW        1    16281    xl0   1117
192.168.1          link#1             UC          0        0   fxp0
192.168.1.1        00:a0:c9:5e:ba:2d  UHLW        1        0    lo0
192.168.1.224      00:11:24:2f:15:bc  UHLW        1       51   fxp0    306

    My static routes in /etc/rc.conf:

#..snip..

#Route defs
static_routes="router tsu usu"
#static_routes="usu"
route_router="-net 0.0.0.0 192.168.0.1"
route_usu="-net 192.168.0.0/24 192.168.0.1"
route_tsu="-net 192.168.1.0/24 192.168.1.1"

#..end snip..

    Ping example of DNS resolving working:

su-2.05b# ping -c 3 google.com
PING google.com (64.233.187.99): 56 data bytes
64 bytes from 64.233.187.99: icmp_seq=0 ttl=246 time=84.567 ms
64 bytes from 64.233.187.99: icmp_seq=1 ttl=246 time=107.181 ms
64 bytes from 64.233.187.99: icmp_seq=2 ttl=246 time=84.443 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 84.443/92.064/107.181/10.690 ms
su-2.05b#

    IPFIREWALL sections of kernel config:

su-2.05b# grep IPFIREWALL /root/HUMMER
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=5
options         IPFIREWALL_DEFAULT_TO_ACCEPT

    Anyone have an idea of what I'm doing wrong in this case?
    Thanks!
-Garrett