Date: Wed, 5 Jan 2000 17:33:53 -0500 (EST) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: stanb@netcom.com (Stan Brown) Cc: freebsd-questions@FreeBSD.ORG (Free BSD Questions list) Subject: Re: ipfw rules question Message-ID: <200001052233.RAA17274@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <200001052045.MAA03409@netcom.com> from Stan Brown at "Jan 5, 2000 03:45:17 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Stan Brown wrote,
> I have a FreeBSD laptop which I dial inot my home network with. The
> hoome network uses a real class C network number, which is the alliased
> to the IP address of my cablemodem provider my NAT. The ppp interface
> to/from the remote laptop is in the 198. network grouping.
OK, lemme try to get this straight:
(1) You have a home network which is a registered (I assume that's
what "real" means, the 192.168.x nets are "real" class C too
after all) class C net.
(2) You dial-in (to the firewall/router/NAT machine I assume) and
the IP address on the client machine is in the "198. network
grouping."
Now what I don't get is that the, "real class C network number... is
alliased to the IP address of my cablemodem provider my NAT." If you
have a registered class C at home, there is no need for NAT. The
machine next to the cable modem should just be routing (and with a
static C class, you don't even need routing daemons).
> Now here is the problem ntp packets (and perhaps others from the laptop
> no longer make it out onto the net since I started using ipfw. It
> appears to me taht these rules:
>
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
>
> May be stoping them, however I would have thought that they would have
> gotten translated by the divert rule before hiting these rules.
Why would these rules be stopping them? And this leads to my next
question, why does the laptop have a 198.x.x.x address? If it has a
registered number and is on a network else where, use the Internet and
not a dial-in? Or is the "198" above meant to be "192?"
> Hny ideas on what I am doing wrong?
I think you need to better describe to us what is going on here. It is
not clear what is going on with the home machine(s). In addition, if
the script below is to be believed, you never define 'natd_interface.'
More info (or clear info) and we might be able to help more.
But all of that aside, according to the rules below (besides not
making any sense in places) only let NTP packets pass to the firewall
machine. How would they get to the laptop?
> Heres my firewall config file:
>
> fwcmd="/sbin/ipfw"
>
> $fwcmd -f flush
>
> # needed for natd
> $fwcmd add divert natd all from any to any via ${natd_interface}
>
> # set these to your outside interface network and netmask and ip
> oif="ed1"
> onet="24.6.61.0"
> omask="255.255.255.0"
> oip="24.6.61.166"
>
> # set these to your inside interface network and netmask and ip
> iif="ed0"
> inet="205.159.77.0"
> imask="255.255.255.0"
> iip="192.159.77.234"
Uuh... you internal interface's IP is not in the internal network?
(It's not used anywhere, but...)
> # Stop spoofing
> $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
> $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
>
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> $fwcmd add deny tcp from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny tcp from any to 10.0.0.0:255.0.0.0 via ${oif}
> $fwcmd add deny udp from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny udp from any to 10.0.0.0:255.0.0.0 via ${oif}
>
> # Allow TCP through if setup succeeded
> $fwcmd add pass tcp from any to any established
>
> # Allow setup of incoming email
> $fwcmd add pass tcp from any to ${oip} 25 setup
>
> # Allow outgoing email
> $fwcmd add pass tcp from ${inet}:${imask} to any 25 setup
> $fwcmd add pass tcp from any to any 113 setup
>
> # Allow access to our DNS
> $fwcmd add pass tcp from any to ${oip} 53 setup
>
> # Allow access to our WWW
> $fwcmd add pass tcp from any to ${oip} 80 setup
>
> #allows telnet
> # can take this out when I get ssh support on all machines
> # I might need to come in from
> $fwcmd add pass tcp from any to any 23 in recv ${oif} setup
>
> #allows ssh
> $fwcmd add pass tcp from any to any 22 in recv ${oif} setup
>
> #allows ftp
> $fwcmd add pass tcp from any to any 20 in recv ${oif} setup
> $fwcmd add pass tcp from any to any 21 in recv ${oif} setup
> $fwcmd add pass tcp from any 20 to any in recv ${oif} setup
> $fwcmd add pass tcp from any 21 to any in recv ${oif} setup
>
> # Reject&Log all setup of incoming connections from the outside
> $fwcmd add deny log tcp from any to any in via ${oif} setup
>
> # Allow setup of any other TCP connection
> $fwcmd add pass tcp from any to any setup
>
> # Allow DNS queries out in the world
> $fwcmd add pass udp from any 53 to ${oip}
> $fwcmd add pass udp from ${oip} to any 53
>
> # Allow NTP queries out in the world
> $fwcmd add pass udp from any 123 to ${oip}
> $fwcmd add pass udp from ${oip} to any 123
>
> # Allow outbound pings
> $fwcmd add pass icmp from any to any in recv ${oif} icmptypes 0
> $fwcmd add pass icmp from any to any out xmit ${oif} icmptypes 8
>
> # Allow outbound traceroutes
> $fwcmd add pass icmp from any to any in recv ${oif} icmptypes 3
> $fwcmd add pass icmp from any to any in recv ${oif} icmptypes 11
>
> # Everything else is denied as default.
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001052233.RAA17274>