Date: Wed, 14 Aug 2002 08:13:43 -0400 From: Jim Arnold <jarnold@knightridder.com> To: freebsd-questions@freebsd.org Subject: IPfilter configuration problem using Message-ID: <a05111b2eb97fa06beb99@[192.168.0.4]>
next in thread | raw e-mail | index | archive | help
After some reading I decided to go with IPFilter and followed the directions at http://www.schlacter.dyndns.org/public/FreeBSD-STABLE_and_IPFILTER.html, except I left out the part about adding Tripwire and some of the stuff at the end involving the fstab. Surprisingly it *seemed* to work the first time I booted up the box but everything was really, really slow. Most things just timed out. I've tried the obvious, switching the "inside" and "outside" cards. In either configuration I can do anything from the firewall box but can't get things to work from inside the LAN. This tells me that something is not configured correctly but I can't seem to figure out what it is. It's probably right in front of me... The only deviation from the website was changing the IP from 192.168.1.1 to 192.168.0.1. The ipnat.rules on the tutorial uses 192.168.1.0/24 -> 0/32 and I used 192.168.0.0/24 -> 0/32. I want to use the 192.168.0.X numbers since my boxes are already configured with these numbers. I did try to configure everything using 192.168.1.1 on the firewall, 192.168.1.X on the lan computers and 192.168.1.0/24 -> 0/32 in the ipnat.rules file but I still had the same problems. Below are all the relevant config files I can think of to troubleshoot this problem. Thanks for any suggestions. Jim =========== In kernel config file I have these... options IPFILTER options IPFILTER_LOG lorne# uname -a FreeBSD lorne 4.6-STABLE FreeBSD 4.6-STABLE #0: Tue Aug 13 01:10:05 EDT 2002 root@lorne:/usr/obj/usr/src/sys/LORNE i386 rc.conf.... gateway_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" moused_enable="NO" sendmail_enable="YES" sendmail_flags="-bd" sendmail_outbound_enable="NO" sendmail_submit_enable="NO" sendmail_msp_queue_enable="NO" sshd_enable="YES" sshd_flags="-4" ifconfig_lo0="inet 127.0.0.1" ifconfig_sis0="DHCP" ifconfig_dc0="inet 192.168.0.1 netmask 255.255.255.0" network_interfaces="sis0 dc0 lo0" hostname="lorne" nfs_client_enable="YES" nfs_reserved_port_only="YES" nfs_server_enable="YES" ipfilter_enable="YES" ipfilter_flags="" ipmon_enable="YES" ipmon_flags="-Dsvn" ipnat_enable="YES" update_motd="NO" icmp_drop_redirects="YES" lorne# ipf -V ipf: IP Filter: v3.4.27 (336) Kernel: IP Filter: v3.4.27 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 ipnat.rules... map sis0 192.168.0.0/24 -> 0/32 ipf.rules ... ################################################################# # Outside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state on it # so that it's allowed back in. #---------------------------------------------------------------- pass out quick on sis0 proto tcp from any to any keep state pass out quick on sis0 proto udp from any to any keep state pass out quick on sis0 proto icmp from any to any keep state block out quick on sis0 all #---------------------------------------------------------------- # Allow bootp traffic in from your ISP's DHCP server only. #---------------------------------------------------------------- pass in quick on sis0 proto udp from 65.24.1.41/32 to any port = 68 keep state #---------------------------------------------------------------- # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way #---------------------------------------------------------------- block return-rst in log quick on sis0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on sis0 proto udp from any to any block in log quick on sis0 all ################################################################# # Inside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass out quick on dc0 proto tcp from any to any keep state pass out quick on dc0 proto udp from any to any keep state pass out quick on dc0 proto icmp from any to any keep state block out quick on dc0 all #---------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass in quick on dc0 proto tcp from any to any keep state pass in quick on dc0 proto udp from any to any keep state pass in quick on dc0 proto icmp from any to any keep state block in quick on dc0 all ################################################################# # Loopback Interface ################################################################# #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all ifconfig -a sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 25.97.167.13 netmask 0xffffff00 broadcast 255.255.255.255 atalk 65280.25 range 65280-65534 phase 2 broadcast 0.255 ether 00:40:f4:53:a1:17 media: Ethernet autoselect (10baseT/UTP) status: active dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:04:5a:42:03:32 media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 atalk 0.0 range 0-0 phase 2 /etc/hosts 127.0.0.1 localhost 192.168.0.1 lorne 192.168.0.1 lorne. /etc/sysctl.conf... net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a05111b2eb97fa06beb99>