From owner-freebsd-questions Wed Jan 22 11:19:46 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C27037B401 for ; Wed, 22 Jan 2003 11:19:43 -0800 (PST) Received: from scanmail1.cableone.net (scanmail1.cableone.net [24.116.0.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AA9543F13 for ; Wed, 22 Jan 2003 11:19:38 -0800 (PST) (envelope-from stargate@cableone.net) Received: from scanmail1.cableone.net ([10.116.0.121]) by scanmail1.cableone.net with Microsoft SMTPSVC(5.5.1877.687.68); Wed, 22 Jan 2003 12:17:31 -0700 Received: from scanmail1.cableone.net [24.116.0.121] by scanmail1.cableone.net (SMTPD32-7.04) id AE4A38100C6; Wed, 22 Jan 2003 12:17:30 -0700 Received: from Tower ( [24.117.48.3]) by mail.cableone.net with SMTP (MailShield v2.04 - WIN32 Jul 17 2001 17:12:42); Wed, 22 Jan 2003 12:17:30 -0700 Message-ID: <001b01c2c24b$30a6d1d0$0200a8c0@Tower> From: "Brian Davis" To: References: <000501c2c214$99dbd290$0200a8c0@Tower> <3E2E9E9D.3020502@potentialtech.com> Subject: Re: "simple" ipfw question Date: Wed, 22 Jan 2003 13:19:30 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-SMTP-HELO: Tower X-SMTP-MAIL-FROM: stargate@cableone.net X-SMTP-PEER-INFO: [24.117.48.3] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > Greetings, > > > > I am attempting to build a dual-homed firewall using FreeBSD 4.7 > > RELEASE. The PC is presently connected to a corporate LAN with DHCP and > > DNS servers and a broadband connection to the Internet. > > > > The outside interface (rl0) is configured as follows: > > IP address: a.b.148.62 (dynamically assigned) > > Subnet: 255.255.248.0 > > Gateway: a.b.144.254 > > DNS: a.b.144.1 > > > > The inside interface (rl1) is configured as follows: > > IP address: 192.168.1.1 > > Subnet: 255.255.255.0 > > > > My private network consists of one workstation which is set up as > > follows: > > IP address: 192.168.1.2 > > Subnet: 255.255.255.0 > > Gateway: 192.168.168.1 > > DNS: a.b.144.1 > > > > When I use the "open" ruleset in /etc/rc.firewall, the workstation on my > > private network can get through the firewall to the LAN and the > > Internet. When I switch to the "simple" ruleset, the firewall stops > > forwarding packets. From the console, I can ping the outside and inside > > interfaces, but nothing else. Everything looks normal in dmesg. > > Additional info upon request! > > Did you tweak the /etc/rc.firewall script to insert your IP address ranges > into it? (look for the "simple" section of the script and tweak the iif, > iip, oif, oip, etc ... values) > If that doesn't help, try posting the output of 'ipfw show' to the list. > It'll make it a lot easier for folks to diagnose. > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > Hope this helps: /etc/rc.firewall: [simple section] oif="rl0" onet="a.b.144.0" omask="255.255.248.0" oip="a.b.148.62" iif="rl1" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.1" /etc/rc.conf: gateway_enable="YES" hostname="(hostname.domain)" ifconfig_rl0="DHCP" kern_securelevel="2" kern_securelevel_enable="YES" moused_enable="YES" nfs_server_enable="NO" saver="green" sendmail_enable="NO" sshd_enable="NO" ifconfig_rl1="inet 192.168.1.1 netmask 255.255.255.0" firewall_enable="YES" firewall_type="simple" natd_enable="YES" natd_interface="rl0" defaultrouter="a.b.144.254" natd_flags="-dynamic" Compiled kernel with these options: options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 ipfw show: 00100 0 0 allow ip from any to any via 1o0 00200 0 0 deny ip from any to 127.0.0.0/0 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from 192.168.1.0/24 to any in recv rl0 00500 0 0 deny ip from a.b.144.0/21 to any in recv rl1 00600 0 0 deny ip from any to 10.0.0.0/8 via rl0 00700 0 0 deny ip from any to 172.16.0.0/12 via rl0 00800 0 0 deny ip from any to 192.168.0.0/16 via rl0 00900 0 0 deny ip from any to 0.0.0.0/8 via rl0 01000 0 0 deny ip from any to 169.254.0.0/16 via rl0 01100 0 0 deny ip from any to 192.0.2.0/24 via rl0 01200 0 0 deny ip from any to 224.0.0.0/4 via rl0 01300 9 773 deny ip from any to 240.0.0.0/24 via rl0 01400 73 9535 divert 8668 ip from any to any via rl0 01500 0 0 deny ip from 10.0.0.0/8 to any via rl0 01600 0 0 deny ip from 172.16.0.0/12 to any via rl0 01700 0 0 deny ip from 192.168.0.0/16 to any via rl0 01800 0 0 deny ip 0.0.0.0/8 to any via rl0 01900 0 0 169.254.0.0/16 to any via rl0 02000 0 0 deny ip from 192.0.2.0/24 to any via rl0 02100 0 0 deny ip from 224.0.0.0/4 to any via rl0 02200 0 0 deny ip from 240.0.0.0/4 to any via rl0 02300 0 0 allow tcp form any to any established 02400 0 0 allow ip from any to any frag 02500 0 0 allow tcp from any to a.b.148.62 25 setup 02600 0 0 allow tcp from any to a.b.148.62 53 setup 02700 0 0 allow udp from any to a.b.148.62 53 02800 0 0 allow udp from a.b.148.62 53 to any 02900 0 0 allow tcp from any to a.b.148.62 80 setup 03000 0 0 deny log logamount 10 tcp from any to any in recv rl0 setup 03100 0 0 allow tcp from any to any setup 03200 26 1912 allow udp from a.b.148.62 to any 53 keep-state 03300 0 0 allow udp from a.b.148.62 to any 123 keep-state 65535 58 9215 deny ip from any to any The counts for rules 1300, 1400, 3200 and 65535 keep incrementing. All other rules are goose eggs. BTW, I run 'ifconfig rl0' occasionally to make sure my dynamic IP address has not changed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message