Date: Sun, 08 Aug 2004 20:46:47 +0200 From: bkhl@elektrubadur.se (=?iso-8859-1?q?Bj=F6rn_Lindstr=F6m?=) To: freebsd-questions@freebsd.org Cc: JJB <Barbish3@adelphia.net> Subject: Re: NAT trouble Message-ID: <s38n015wjqg.fsf@numerus.ling.uu.se> References: <s38smbpxrov.fsf@numerus.ling.uu.se> <MIEPLLIBMLEEABPDBIEGOEFKGGAA.Barbish3@adelphia.net>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
> A new rewrite of the FreeBSD handbook firewall section is currently
> being made ready for update to the handbook. You can get an
> in-process copy from www.a1poweruser.com/FBSD_firewall/
>
> For more help post complete contents of your rc.conf, ppp.conf, ipfw
> rules, dmesg.boot, ppp.log, files along with description of how you
> are connected to the public internet.
Thanks you. Thanks to that page, I'm a bit closer to a solution, I
think.
I have arrived at the following ipfw.rules, based on the last example on
that page:
[-- Attachment #2 --]
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="tun0" # Public interface
# No restrictions on Inside Lan Interface for private network
$cmd 005 allow all from any to any via ed0
# No restrictions on Loopback Interface
$cmd 010 allow all from any to any via lo0
# Check if packet is inbound and NAT address if it is
$cmd 014 divert natd ip from any to any in via $pif
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
$cmd 015 check-state
##
## Interface facing Public internet (Outbound Section)
## Interrogate session start requests originating from behind the
## firewall on the private network or from this gateway server
## destine for the public internet.
##
# Allow out access to my ISP's DNS.
i=020
for nameserver in $(grep '^nameserver ' /etc/resolv.conf | sed 's/^nameserver //'); do
$cmd $i $skip tcp from any to $nameserver 53 out via $pif setup keep-state
i=$(($i + 1))
$cmd $i $skip udp from any to $nameserver 53 out via $pif keep-state
i=$(($i + 1))
if [ $i = 039 ]; then
break
fi
done
# Allow out non-secure standard WWW function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
# Allow out secure WWW function HTTPS over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
# Allow out NNTP news
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
# Allow out ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state
##
## Interface facing Public internet (Inbound Section)
## Interrogate packets originating from the public internet
## destine for this gateway server or the private network.
##
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for doc's
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif
# Allow in standard www function because I have apache server
$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Reject & Log all unauthorized incoming connections from the public internet
$cmd 400 deny log all from any to any in via $pif
# Reject & Log all unauthorized out going connections to the public internet
$cmd 450 deny log all from any to any out via $pif
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
[-- Attachment #3 --]
[-- Attachment #4 --]
00005 allow ip from any to any via ed0
00010 allow ip from any to any via lo0
00014 divert 8668 ip from any to any in recv tun0
00015 check-state
00020 skipto 800 tcp from any to 195.67.199.13 53 keep-state out xmit tun0 setup
00021 skipto 800 udp from any to 195.67.199.13 53 keep-state out xmit tun0
00040 skipto 800 tcp from any to any 80 keep-state out xmit tun0 setup
00050 skipto 800 tcp from any to any 443 keep-state out xmit tun0 setup
00060 skipto 800 tcp from any to any 25 keep-state out xmit tun0 setup
00061 skipto 800 tcp from any to any 110 keep-state out xmit tun0 setup
00070 skipto 800 tcp from me to any uid root keep-state out xmit tun0 setup
00080 skipto 800 icmp from any to any keep-state out xmit tun0
00090 skipto 800 tcp from any to any 37 keep-state out xmit tun0 setup
00100 skipto 800 tcp from any to any 119 keep-state out xmit tun0 setup
00110 skipto 800 tcp from any to any 22 keep-state out xmit tun0 setup
00120 skipto 800 tcp from any to any 43 keep-state out xmit tun0 setup
00130 skipto 800 udp from any to any 123 keep-state out xmit tun0
00300 deny ip from 192.168.0.0/16 to any in recv tun0
00301 deny ip from 172.16.0.0/12 to any in recv tun0
00302 deny ip from 10.0.0.0/8 to any in recv tun0
00303 deny ip from 127.0.0.0/8 to any in recv tun0
00304 deny ip from 0.0.0.0/8 to any in recv tun0
00305 deny ip from 169.254.0.0/16 to any in recv tun0
00306 deny ip from 192.0.2.0/24 to any in recv tun0
00307 deny ip from 204.152.64.0/23 to any in recv tun0
00308 deny ip from 224.0.0.0/3 to any in recv tun0
00315 deny tcp from any to any 113 in recv tun0
00320 deny tcp from any to any 137 in recv tun0
00321 deny tcp from any to any 138 in recv tun0
00322 deny tcp from any to any 139 in recv tun0
00323 deny tcp from any to any 81 in recv tun0
00330 deny ip from any to any in recv tun0 frag
00332 deny tcp from any to any in recv tun0 established
00370 allow tcp from any to me 80 limit src-addr 2 in recv tun0 setup
00380 allow tcp from any to me 22 limit src-addr 2 in recv tun0 setup
00400 deny log logamount 5 ip from any to any in recv tun0
00450 deny log logamount 5 ip from any to any out xmit tun0
00800 divert 8668 ip from any to any out xmit tun0
00801 allow ip from any to any
00999 deny log logamount 5 ip from any to any
65535 deny ip from any to any
[-- Attachment #5 --]
Now, what that is missing is examples on how to get NAT port forwarding
working. I've been playing around with that, based on what I can figure
out from the natd man page, with no success.
Here are the rest of the relevant configuration/log files:
[-- Attachment #6 --]
kern_securelevel="2"
kern_securelevel_enable="YES"
keymap="swedish.iso"
# Net
hostname="calliope.dreaming"
ifconfig_ed0="inet 192.168.0.1 netmask 255.255.255.0"
gateway_enable="YES"
# Net daemons
sshd_enable="YES"
sendmail_enable="NO"
# Firewall
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
# NAT
natd_enable="YES"
natd_interface="tun0"
natd_flags="-f /etc/natd.conf"
# PPP
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="tiscali"
# NFS
nfs_client_enable="YES"
nfs_reserved_port_only="YES"
portmap_enable="YES"
# NIS
nisdomainname="dreaming-nis"
nis_server_enable="YES"
nis_yppasswdd_enable="YES"
nis_client_enable="YES"
nis_client_flags="-S dreaming-nis,calliope.dreaming"
[-- Attachment #7 --]
default:
set log Phase tun command
set ifaddr 10.0.0.1/0 10.0.0.2/0
tiscali:
set device PPPoE:rl0
set authname bkhl@tiscali.se
set authkey tatmero
enable dns
resolv rewrite
set dial
set login
add default HISADDR
[-- Attachment #8 --]
Aug 8 20:42:47 calliope ppp[54]: tun0: Phase: deflink: IPV6CP protocol reject closes IPV6CP !
Aug 8 20:42:47 calliope ppp[54]: tun0: Phase: deflink: IPV6CP protocol reject closes IPV6CP !
Aug 8 20:42:47 calliope ppp[54]: tun0: Command: tiscali: !bg /usr/local/sbin/ddclient -daemon=0
Aug 8 20:42:50 calliope ppp[54]: tun0: Phase: deflink: IPV6CP protocol reject closes IPV6CP !
Aug 8 20:42:59 calliope last message repeated 3 times
[-- Attachment #9 --]
[-- Attachment #10 --]
dynamic yes
same_ports yes
use_sockets yes
redirect_port tcp 192.168.0.2:15000 15000
[-- Attachment #11 --]
(I couldn't locate any dmesg.boot file.)
Thanks for all your help,
Björn
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?s38n015wjqg.fsf>