Date: Thu, 29 Jul 1999 15:16:38 -0500 From: "David B. Aas" <dave@ciminot.com> To: <questions@freebsd.org> Cc: <obonilla@fisicc-ufm.edu> Subject: FW: Need consulting help with v3.2 firewall configuration Message-ID: <000401bed9ff$44528860$0fc8a8c0@dave.ciminot.com>
next in thread | raw e-mail | index | archive | help
Whoops!
I forgot to include my rules. Sorry for the extra email.
# Setup system for firewall service.
# $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $
# Customized by Dave Aas 1999/07/20
# Suck in the configuration variables.
if [ -f /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
elif [ -f /etc/rc.conf ]; then
. /etc/rc.conf
fi
# Flush out the list before we begin.
ipfw -f flush
# Divert internal ip addresses
ipfw add 100 divert natd all from any to any via ${natd_interface}
# Allow all outbound traffic
ipfw add 150 allow all from any to any out
# Only in rare cases do you want to change these rules
ipfw add 200 pass all from any to any via lo0
ipfw add 300 deny all from any to 127.0.0.0/8
# Stop spoofing
ipfw add 400 deny all from ${inet}:${imask} to any in via ${oif}
ipfw add 500 deny all from ${onet}:${omask} to any in via ${iif}
# Allow TCP through if setup succeeded
ipfw add 600 pass tcp from any to any established
# Allow setup of incoming email
ipfw add 700 pass tcp from any to ${oip} 25 setup
ipfw add 710 allow tcp from any to any 110 setup
# Allow access to our DNS
ipfw add 800 pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
ipfw add 900 pass tcp from any to ${oip} 80 setup
# Other webserver traffic
ipfw add 910 allow tcp from any to ${oip} 80 in via ${oif}
ipfw add 920 allow tcp from any to ${oip} 3128 in via ${oif}
# Allow setup of outgoing TCP connections only
ipfw add 1000 allow tcp from ${oip}:${omask} to any setup
ipfw add 1100 allow tcp from ${iip}:${imask} to any setup
# Allow maintenance from CI
ipfw add 1200 allow tcp from ${maintip} to ${oip} 21 setup
ipfw add 1300 allow tcp from ${maintip} to ${oip} 23 setup
# Allow DNS queries out in the world
ipfw add 1400 pass udp from any 53 to ${oip}
ipfw add 1500 pass udp from ${oip} to any 53
# Allow NTP queries out in the world
ipfw add 1600 pass udp from any 123 to ${oip}
ipfw add 1700 pass udp from ${oip} to any 123
# Allow ping to or from the world
ipfw add 1800 allow icmp from any to any icmptypes 0,8
# Allow POP3 setup
ipfw add 1850 allow tcp from any 1024-65535 to any 110 in via xl1 setup
ipfw add 1860 allow tcp from 129.1.1.0:255.255.255.0 to any 110 setup
ipfw add 1870 allow tcp from any 1024-65535 to any 110 setup
# Allow ssh
ipfw add 1880 allow tcp from any to ${oip} 22 in via xl1
ipfw add 1890 allow tcp from any to any 22 out via xl1
# Lame stuff
ipfw add 1899 allow tcp from any 1024-65535 to any 1024-65535
ipfw add 1898 allow udp from any 1024-65535 to any 1024-65535
# Disallow setup of all other TCP connections
ipfw add 2000 deny tcp from any to any setup
# Allow ident in
ipfw add 2100 allow tcp from any to any 113 in via ${oif}
ipfw add 2200 allow tcp from any to any 113 out via ${oif}
# Everything else is denied as default.
-----Original Message-----
From: David B. Aas [mailto:dave@ciminot.com]
Sent: Thursday, July 29, 1999 2:48 PM
To: 'questions@freebsd.org'
Cc: 'obonilla@fisicc-ufm.edu'
Subject: RE: Need consulting help with v3.2 firewall configuration
OK, Oscar. Here it is.
My server is set as a secondary DNS. I can PING the ISP's servername, and it
works OK.
On my client's machine, an error message shows up when the mail client tries
to find the ISP. The error is:
Host servername could not be found....POP3 Port 110, SSL No:, Socket Error
11001, Error # 0X800CCC0D
It almost seems like it may be a DNS problem, but as far as I can tell, my
DNS seems to be working.
Any Ideas?
Dave Aas
dave@ciminot.com
> -----Original Message-----
> From: Oscar Bonilla [mailto:obonilla@fisicc-ufm.edu]
> Sent: Thursday, July 29, 1999 10:51 AM
> To: David B. Aas
> Cc: questions@FreeBSD.ORG
> Subject: Re: Need consulting help with v3.2 firewall configuration
>
>
> On Thu, Jul 29, 1999 at 08:59:59AM -0500, David B. Aas wrote:
> > I am getting to the point where I will be willing to pay
> for some help!
> >
> > I have a firewall running with 2 nics, one connected to an
> inside net, the
> > other connected to a DSL Internet connection. Squid is
> loaded, and FreeBSD
> > is configured as a secondary DNS and a time server. I added
> sendmail. All
> > seems to be working OK, except my clients inside my network
> cannont access a
> > POP3 server to check email on existing accounts outside on
> the Internet.
> >
>
> post your firewall rules to the list.
>
> regards,
>
> -Oscar
>
> --
> For PGP Public Key: finger obonilla@fisicc-ufm.edu
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000401bed9ff$44528860$0fc8a8c0>