Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 19 Jul 2000 13:07:12 -0700
From:      Kent Stewart <kstewart@urx.com>
To:        thursday@altavista.net
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: natd/ipfw problems
Message-ID:  <39760A70.B338C9C9@urx.com>
References:  <0007191600438Z.22034@weba4.iname.net>

next in thread | previous in thread | raw e-mail | index | archive | help


thursday@altavista.net wrote:
> 
> Hi,
> 
> I'm running FreeBSD 3.4-RELEASE, and I have my internal network {Win95, FreeBSD} connected to the outside world via a FreeBSD box & sdsl.
> 
> I'm using nat, and all works fine except when I want to have firewall rules in place (i.e., firewall_type="simple".
> 
> When I have firewall_type="simple", natd doesn't work at all, and I have to do:
> 
> /sbin/ipfw -f flush
> /sbin/ipfw add divert natd all from any to any via rl0
> /sbin/ipfw add pass all from any to any
> 
> to get natd to work at all.

That has also been my experience. I don't know why the example
rc.firewall is broken but for my system it was useless. Try the dual
homed code on http://www.mostgraveconcern.com/freebsd/. It is a much
better starting point.

Kent

> 
> Basically, I want the firewall to only allow access to the following services (from the outside)
> 
> httpd, sendmail, ssh, ftp, and for natd to work.
> 
> Here's the relevant part of rc.conf:
> natd_enable="YES"
> natd_interface="rl0"
> firewall_enable="YES"
> firewall_type="simple"
> 
> 
> and rc.local:
> # natd
> /sbin/natd -l -interface rl0
> 
> and here's rc.firewall (I changed the oips to something other than my own):
> 
> /sbin/ipfw -f flush/sbin/ipfw add divert natd all from any to any via rl0
> /sbin/ipfw add pass all from any to any
> 
> ############
> # Setup system for firewall service.
> # $FreeBSD: src/etc/rc.firewall,v 1.19.2.2 1999/08/29 14:18:55 peter Exp $
> 
> # Suck in the configuration variables.
> if [ -f /etc/defaults/rc.conf ]; then
>  . /etc/defaults/rc.conf
> elif [ -f /etc/rc.conf ]; then
>  . /etc/rc.conf
> fi
> 
> ############
> # Define the firewall type in /etc/rc.conf.  Valid values are:
> #   open     - will allow anyone in
> #   client   - will try to protect just this machine
> #   simple   - will try to protect a whole network
> #   closed   - totally disables IP services except via lo0 interface
> #   Unknown  - disables the loading of firewall rules.
> #   filename - will load the rules in the given filename (full path required)
> #
> # For ``client'' and ``simple'' the entries below should be customized
> # appropriately.
> 
> ############
> #
> # If you don't know enough about packet filtering, we suggest that you
> # take time to read this book:
> #
> #        Building Internet Firewalls
> #        Brent Chapman and Elizabeth Zwicky
> #
> #        O'Reilly & Associates, Inc
> #        ISBN 1-56592-124-0
> #        http://www.ora.com/
> #
> # For a more advanced treatment of Internet Security read:
> #
> #        Firewalls & Internet Security
> #        Repelling the wily hacker
> #        William R. Cheswick, Steven M. Bellowin
> #
> #        Addison-Wesley
> #        ISBN 0-201-6337-4
> #        http://www.awl.com/
> #
> 
> if [ "x$1" != "x" ]; then
>  firewall_type=$1
> fi
> 
> ############
> # Set quiet mode if requested
> if [ "x$firewall_quiet" = "xYES" ]; then
>  fwcmd="/sbin/ipfw -q"
> else
>  fwcmd="/sbin/ipfw"
> fi
> 
> ############
> # Flush out the list before we begin.
> $fwcmd -f flush
> 
> ############
> # These rules are required for using natd.  All packets are passed to
> # natd before they encounter your remaining rules.  The firewall rules
> # will then be run again on each packet after translation by natd,
> # minus any divert rules (see natd(8)).
> if [ "X${natd_enable}" = X"YES" ]; then
> $fwcmd add divert natd all from any to any via ${natd_interface}
> fi
> 
> ############
> # If you just configured ipfw in the kernel as a tool to solve network
> # problems or you just want to disallow some particular kinds of traffic
> # they you will want to change the default policy to open.  You can also
> # do this as your only action by setting the firewall_type to ``open''.
> 
> # $fwcmd add 65000 pass all from any to any
> 
> ############
> # Only in rare cases do you want to change these rules
> $fwcmd add 100 pass all from any to any via lo0
> $fwcmd add 200 deny all from any to 127.0.0.0/8
> 
> # Prototype setups.
> if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then
> 
>  $fwcmd add 65000 pass all from any to any
> 
> elif [ "${firewall_type}" = "client" ]; then
> 
> ############
> # This is a prototype setup that will protect your system somewhat against
> # people from outside your own network.
> ############
> 
> # set these to your network and netmask and ip
> net="192.168.1.0"
> mask="255.255.255.0"
> ip="192.168.1.1"
> 
> # Allow any traffic to or from my own net.
> $fwcmd add pass all from ${ip} to ${net}:${mask}
> $fwcmd add pass all from ${net}:${mask} to ${ip}
> 
> # Allow TCP through if setup succeeded
> $fwcmd add pass tcp from any to any established
> 
> # Allow setup of incoming email
> $fwcmd add pass tcp from any to ${ip} 25 setup
> 
> # Allow setup of outgoing TCP connections only
> $fwcmd add pass tcp from ${ip} to any setup
> 
> # Disallow setup of all other TCP connections
> $fwcmd add deny tcp from any to any setup
> 
> # Allow DNS queries out in the world
> $fwcmd add pass udp from any 53 to ${ip}
> $fwcmd add pass udp from ${ip} to any 53
> 
> # Allow NTP queries out in the world
> $fwcmd add pass udp from any 123 to ${ip}
> $fwcmd add pass udp from ${ip} to any 123
> 
> # Everything else is denied as default.
> 
> # for natd
> /sbin/ipfw add divert natd all from any to any via rl0
> elif [ "${firewall_type}" = "simple" ]; then
> 
> ############
> # This is a prototype setup for a simple firewall.  Configure this machine
> # as a named server and ntp server, and point all the machines on the inside
> # at this machine for those services.
> ############
> 
> # set these to your outside interface network and netmask and ip
> oif="rl0"
> onet="214.17.182.0"
> omask="255.255.255.0"
> oip="214.17.182.103"
> 
> # set these to your inside interface network and netmask and ip
> iif="pn0"
> inet="192.168.1.0"
> imask="255.255.255.0"
> iip="192.168.1.1"
> 
> # Stop spoofing
> $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
> $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
> 
> # allow all local traffic
> $fwcmd add allow all from ${inet}:${imask} to ${inet}:${imask}
> 
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
> 
> # Allow TCP through if setup succeeded
> $fwcmd add pass tcp from any to any established
> 
> # Allow setup of incoming email
> $fwcmd add pass tcp from any to ${oip} 25 setup
> 
> # Allow access to our DNS
> $fwcmd add pass tcp from any to ${oip} 53 setup
> 
> # Allow access to our WWW
> $fwcmd add pass tcp from any to ${oip} 80 setup
> 
> # Allow access to ssh
> $fwcmd add pass tcp from any to ${oip} 22 setup
> 
> # Allow access to ftp
> $fwcmd add pass tcp from any to ${oip} 21 setup
> 
> # Reject&Log all setup of incoming connections from the outside
> $fwcmd add deny log tcp from any to any in via ${oif} setup
> 
> # Allow setup of any other TCP connection
> $fwcmd add pass tcp from any to any setup
> 
> # Allow DNS queries out in the world
> $fwcmd add pass udp from any 53 to ${oip}
> $fwcmd add pass udp from ${oip} to any 53
> 
> # Allow NTP queries out in the world
> $fwcmd add pass udp from any 123 to ${oip}
> $fwcmd add pass udp from ${oip} to any 123
> 
> # Everything else is denied as default.
> 
> elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
>  $fwcmd ${firewall_type}
> fi
> 
> # /sbin/ipfw -f flush
> # /sbin/ipfw add divert natd all from any to any via rl0
> # /sbin/ipfw add pass all from any to any
> 
> ----------------------------------------------------------------
> Get your free email from AltaVista at http://altavista.iname.com
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message

-- 
Kent Stewart
Richland, WA

mailto:kbstew99@hotmail.com
http://kstewart.urx.com/kstewart/index.html
FreeBSD News http://daily.daemonnews.org/

Bomber dropping fire retardant in front of Hanford Wild fire.
http://kstewart.urx.com/kstewart/bomber.jpg


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39760A70.B338C9C9>