Date: Wed, 19 Jul 2000 13:07:12 -0700 From: Kent Stewart <kstewart@urx.com> To: thursday@altavista.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd/ipfw problems Message-ID: <39760A70.B338C9C9@urx.com> References: <0007191600438Z.22034@weba4.iname.net>
next in thread | previous in thread | raw e-mail | index | archive | help
thursday@altavista.net wrote: > > Hi, > > I'm running FreeBSD 3.4-RELEASE, and I have my internal network {Win95, FreeBSD} connected to the outside world via a FreeBSD box & sdsl. > > I'm using nat, and all works fine except when I want to have firewall rules in place (i.e., firewall_type="simple". > > When I have firewall_type="simple", natd doesn't work at all, and I have to do: > > /sbin/ipfw -f flush > /sbin/ipfw add divert natd all from any to any via rl0 > /sbin/ipfw add pass all from any to any > > to get natd to work at all. That has also been my experience. I don't know why the example rc.firewall is broken but for my system it was useless. Try the dual homed code on http://www.mostgraveconcern.com/freebsd/. It is a much better starting point. Kent > > Basically, I want the firewall to only allow access to the following services (from the outside) > > httpd, sendmail, ssh, ftp, and for natd to work. > > Here's the relevant part of rc.conf: > natd_enable="YES" > natd_interface="rl0" > firewall_enable="YES" > firewall_type="simple" > > > and rc.local: > # natd > /sbin/natd -l -interface rl0 > > and here's rc.firewall (I changed the oips to something other than my own): > > /sbin/ipfw -f flush/sbin/ipfw add divert natd all from any to any via rl0 > /sbin/ipfw add pass all from any to any > > ############ > # Setup system for firewall service. > # $FreeBSD: src/etc/rc.firewall,v 1.19.2.2 1999/08/29 14:18:55 peter Exp $ > > # Suck in the configuration variables. > if [ -f /etc/defaults/rc.conf ]; then > . /etc/defaults/rc.conf > elif [ -f /etc/rc.conf ]; then > . /etc/rc.conf > fi > > ############ > # Define the firewall type in /etc/rc.conf. Valid values are: > # open - will allow anyone in > # client - will try to protect just this machine > # simple - will try to protect a whole network > # closed - totally disables IP services except via lo0 interface > # Unknown - disables the loading of firewall rules. > # filename - will load the rules in the given filename (full path required) > # > # For ``client'' and ``simple'' the entries below should be customized > # appropriately. > > ############ > # > # If you don't know enough about packet filtering, we suggest that you > # take time to read this book: > # > # Building Internet Firewalls > # Brent Chapman and Elizabeth Zwicky > # > # O'Reilly & Associates, Inc > # ISBN 1-56592-124-0 > # http://www.ora.com/ > # > # For a more advanced treatment of Internet Security read: > # > # Firewalls & Internet Security > # Repelling the wily hacker > # William R. Cheswick, Steven M. Bellowin > # > # Addison-Wesley > # ISBN 0-201-6337-4 > # http://www.awl.com/ > # > > if [ "x$1" != "x" ]; then > firewall_type=$1 > fi > > ############ > # Set quiet mode if requested > if [ "x$firewall_quiet" = "xYES" ]; then > fwcmd="/sbin/ipfw -q" > else > fwcmd="/sbin/ipfw" > fi > > ############ > # Flush out the list before we begin. > $fwcmd -f flush > > ############ > # These rules are required for using natd. All packets are passed to > # natd before they encounter your remaining rules. The firewall rules > # will then be run again on each packet after translation by natd, > # minus any divert rules (see natd(8)). > if [ "X${natd_enable}" = X"YES" ]; then > $fwcmd add divert natd all from any to any via ${natd_interface} > fi > > ############ > # If you just configured ipfw in the kernel as a tool to solve network > # problems or you just want to disallow some particular kinds of traffic > # they you will want to change the default policy to open. You can also > # do this as your only action by setting the firewall_type to ``open''. > > # $fwcmd add 65000 pass all from any to any > > ############ > # Only in rare cases do you want to change these rules > $fwcmd add 100 pass all from any to any via lo0 > $fwcmd add 200 deny all from any to 127.0.0.0/8 > > # Prototype setups. > if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then > > $fwcmd add 65000 pass all from any to any > > elif [ "${firewall_type}" = "client" ]; then > > ############ > # This is a prototype setup that will protect your system somewhat against > # people from outside your own network. > ############ > > # set these to your network and netmask and ip > net="192.168.1.0" > mask="255.255.255.0" > ip="192.168.1.1" > > # Allow any traffic to or from my own net. > $fwcmd add pass all from ${ip} to ${net}:${mask} > $fwcmd add pass all from ${net}:${mask} to ${ip} > > # Allow TCP through if setup succeeded > $fwcmd add pass tcp from any to any established > > # Allow setup of incoming email > $fwcmd add pass tcp from any to ${ip} 25 setup > > # Allow setup of outgoing TCP connections only > $fwcmd add pass tcp from ${ip} to any setup > > # Disallow setup of all other TCP connections > $fwcmd add deny tcp from any to any setup > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${ip} > $fwcmd add pass udp from ${ip} to any 53 > > # Allow NTP queries out in the world > $fwcmd add pass udp from any 123 to ${ip} > $fwcmd add pass udp from ${ip} to any 123 > > # Everything else is denied as default. > > # for natd > /sbin/ipfw add divert natd all from any to any via rl0 > elif [ "${firewall_type}" = "simple" ]; then > > ############ > # This is a prototype setup for a simple firewall. Configure this machine > # as a named server and ntp server, and point all the machines on the inside > # at this machine for those services. > ############ > > # set these to your outside interface network and netmask and ip > oif="rl0" > onet="214.17.182.0" > omask="255.255.255.0" > oip="214.17.182.103" > > # set these to your inside interface network and netmask and ip > iif="pn0" > inet="192.168.1.0" > imask="255.255.255.0" > iip="192.168.1.1" > > # Stop spoofing > $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} > $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} > > # allow all local traffic > $fwcmd add allow all from ${inet}:${imask} to ${inet}:${imask} > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > > # Allow TCP through if setup succeeded > $fwcmd add pass tcp from any to any established > > # Allow setup of incoming email > $fwcmd add pass tcp from any to ${oip} 25 setup > > # Allow access to our DNS > $fwcmd add pass tcp from any to ${oip} 53 setup > > # Allow access to our WWW > $fwcmd add pass tcp from any to ${oip} 80 setup > > # Allow access to ssh > $fwcmd add pass tcp from any to ${oip} 22 setup > > # Allow access to ftp > $fwcmd add pass tcp from any to ${oip} 21 setup > > # Reject&Log all setup of incoming connections from the outside > $fwcmd add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > $fwcmd add pass tcp from any to any setup > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${oip} > $fwcmd add pass udp from ${oip} to any 53 > > # Allow NTP queries out in the world > $fwcmd add pass udp from any 123 to ${oip} > $fwcmd add pass udp from ${oip} to any 123 > > # Everything else is denied as default. > > elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then > $fwcmd ${firewall_type} > fi > > # /sbin/ipfw -f flush > # /sbin/ipfw add divert natd all from any to any via rl0 > # /sbin/ipfw add pass all from any to any > > ---------------------------------------------------------------- > Get your free email from AltaVista at http://altavista.iname.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ Bomber dropping fire retardant in front of Hanford Wild fire. http://kstewart.urx.com/kstewart/bomber.jpg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39760A70.B338C9C9>