From owner-freebsd-questions@FreeBSD.ORG Sun Nov 30 02:02:48 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A2D116A4CE for ; Sun, 30 Nov 2003 02:02:48 -0800 (PST) Received: from web20705.mail.yahoo.com (web20705.mail.yahoo.com [216.136.226.178]) by mx1.FreeBSD.org (Postfix) with SMTP id 0419543F75 for ; Sun, 30 Nov 2003 02:02:40 -0800 (PST) (envelope-from bsdfreakish@yahoo.com) Message-ID: <20031130091745.48280.qmail@web20705.mail.yahoo.com> Received: from [203.24.54.144] by web20705.mail.yahoo.com via HTTP; Sun, 30 Nov 2003 01:17:45 PST Date: Sun, 30 Nov 2003 01:17:45 -0800 (PST) From: Michael Lopez To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw + ppp config problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Nov 2003 10:02:48 -0000 Hi guys, I need help for setting up my ipfw, at the moment I’ve got 2 computers one running freebsd 4.9 stable and the other one is windows XP connecting to the internet using dial up (wich is ppp) with static ip, I already compile the kernel to enable firewall as well seting up the rc.conf and the firewall rules (firewall_rules) as describe below: rc.conf .... gateway_enable="YES" inetd_enable="YES" ################################################# # Firewall Configuration # firewall_enable=YES firewall_quiet=YES firewall_type=/usr/local/etc/firewall_rules firewall_flags="-p cpp \ -D INT_IF=rl0 \ -D INT_ADDR=192.168.0.1 \ -D INT_NET=192.168.0.0/16 \ -D EXT_IF=tun0 \ -D EXT_ADDR=202.24.54.145 \ -D EXT_NET=202.24.54.145/27 \ -D LOG_DROPPED_PACKETS \ -D ALLOW_ALL_ICMP \ -D ALLOW_ACTIVE_FTP \ -D ALLOW_TRACEROUTE \ -D LOCAL_NAME_SERVER \ -D LOCAL_TIME_SERVER \ -D LOCAL_VPN_SERVER \ -D ROUTE_INTERNAL_NET " # Enable firewall debugging with8 # sysctl -w net.inet.ip.fw.verbose=1 # and look at /var/log/security ################################################# # NAT Configuration # # run NAT on the public interface #natd_enable=YES #natd_interface=tun0 #natd_flags="-log_denied -use_sockets" # for testing NAT #natd_flags="$natd_flags -verbose" firewall_rules #ifdef DROP_SILENT # ifdef LOG_DROPPED_PACKETS # define BLOCK_TCP deny log # define BLOCK_UDP deny log # define BLOCK_ICMP deny log # else # define BLOCK_TCP deny # define BLOCK_UDP deny # define BLOCK_ICMP deny # endif #else # ifdef LOG_DROPPED_PACKETS # define BLOCK_TCP reset log # define BLOCK_UDP unreach port log # define BLOCK_ICMP unreach filter-prohib log # else # define BLOCK_TCP reset # define BLOCK_UDP unreach port # define BLOCK_ICMP unreach filter-prohib # endif #endif /*** IP ******************************************************/ // filter out all bogus packets at the external interface add 00990 skipto 2100 ip from any to EXT_ADDR in recv EXT_IF add 00999 deny all from any to any in recv EXT_IF // hand off packets to natd; they will be reinjected, with the address // translated, into the next rule #ifdef DIVERT_TO_NATD #add 01000 divert natd ip from any to any via EXT_IF #endif // prevent spoofing add 02100 deny all from INT_NET to any in via EXT_IF add 02110 deny all from EXT_NET to any in via INT_IF #ifdef ROUTE_INTERNAL_NET // allow all packets from the internal network, on any interface add 02300 allow all from INT_NET to any #else add 02300 allow all from INT_ADDR to INT_NET via INT_IF #endif #ifdef LOCAL_VPN_SERVER add 02400 allow gre from any to any via EXT_IF #endif /*** TCP ****************************************************/ // allow all established connections add 03000 allow tcp from any to any established // allow outgoing TCP setups from the local host, and from the internal // network add 03100 allow tcp from EXT_ADDR to any out via EXT_IF //add 03110 allow tcp from INT_NET to any in recv INT_IF setup // allow the return TCP connection for FTP data session #ifdef ALLOW_ACTIVE_FTP add 03200 allow tcp from any 20 to EXT_ADDR in recv EXT_IF setup add 03210 allow tcp from any 20 to INT_NET // out xmit INT_IF setup #endif // allow SMTP to the local host add 03300 allow tcp from any to EXT_ADDR smtp in recv EXT_IF setup // allow SSH to the local host add 03400 allow tcp from any to EXT_ADDR ssh in recv EXT_IF setup #ifdef LOCAL_NAME_SERVER // allow zone transfers to the outside world add 03500 allow tcp from any to EXT_ADDR domain in recv EXT_IF setup #endif #ifdef LOCAL_VPN_SERVER // allow traffic to PPTP daemon add 03600 allow tcp from any to EXT_ADDR pptp in recv EXT_IF setup // all other TCP connections are blocked add 03900 BLOCK_TCP tcp from any to any in via EXT_IF /*** UDP ****************************************************/ // allow client DNS queries to the outside from this machine // (domain = DNS port number) add 04000 allow udp from any domain to EXT_ADDR add 04010 allow udp from EXT_ADDR to any domain #ifdef LOCAL_NAME_SERVER // allow client DNS queries from the internal net to this name server add 04020 allow udp from INT_NET to INT_ADDR domain add 04030 allow udp from INT_ADDR domain to INT_NET // allow server DNS queries to this nameserver from the Internet add 04040 allow udp from any to EXT_ADDR domain add 04050 allow udp from EXT_ADDR domain to any #endif #ifdef LOCAL_TIME_SERVER // allow NTP to/from the local host and out to the local network add 04100 allow udp from any ntp to EXT_ADDR ntp add 04110 allow udp from EXT_ADDR ntp to any ntp add 04120 allow udp from INT_ADDR ntp to INT_NET ntp #endif #ifdef ALLOW_TRACEROUTE // allow traceroutes add 04300 allow udp from EXT_ADDR to any 33434-33534 add 04310 allow udp from INT_NET to any 33434-33534 #endif // block everything else add 04900 BLOCK_UDP udp from any to any in via EXT_IF /*** ICMP **************************************************/ #ifdef ALLOW_ALL_ICMP // allow all ICMP packets to and from anywhere add 05000 allow icmp from any to any #else // allow only essential ICMP packets to and from the local host add 05000 allow icmp from EXT_ADDR to any icmptype 3,4,11,12 add 05010 allow icmp from any to EXT_ADDR icmptype 3,4,11,12 // as well as to/from the internal network add 05100 allow icmp from INT_NET to any icmptype 3,4,11,12 add 05110 allow icmp from any to INT_NET icmptype 3,4,11,12 #endif /*** EVERYTHING ELSE IS DENIED *********/ #ifdef LOG_DROPPED_PACKETS add 65000 deny log all from any to any #else add 65000 deny all from any to any #endif using reference from http://renaud.waldura.com/doc/freebsd/firewall/ but I’d slightly modified the nat and the rules as you can see I commented out the NAT configuration and at rule 990 I set it to skip to rule 2100 instead rule 1000 since the nat didn’t work well with ppp (it can’t recognize the tun0 device from the start up and when i tried manually to add it after connected using ppp the freebsd can't connect to the net too) as the result using this firewall only my freebsd the only one that connect to net (but both box able to communicate well, ping, sshd, ftp, etc - LAN), questions are: 1.) Any body (who’s expert with ipfw) knows what’s wrong with my configuration ? 2.) Is there any possibility to use nat (not user ppp –nat) to work with ipfw + ppp, references, urls, are welcomed. (by the way I’ve browse most site in google.com/bsd regarding this “ipfw + ppp + nat but then again only the reference I used above that works pretty much close to what I need...i think). Thank you once again, Regards, Mike --------------------------------- Do you Yahoo!? Free Pop-Up Blocker - Get it now