From owner-freebsd-questions Thu Jun 24 19:16:21 1999 Delivered-To: freebsd-questions@freebsd.org Received: from gateway.ciminot.com (gateway.ciminot.com [208.149.231.26]) by hub.freebsd.org (Postfix) with ESMTP id 5190314E25 for ; Thu, 24 Jun 1999 19:16:14 -0700 (PDT) (envelope-from dave@ciminot.com) Received: from dave ([192.168.200.15]) by gateway.ciminot.com (8.9.1/8.9.1) with SMTP id VAA17976 for ; Thu, 24 Jun 1999 21:15:04 -0500 (CDT) (envelope-from dave@ciminot.com) From: "David B. Aas" To: Subject: I can't get ipfw and natd to work! Date: Thu, 24 Jun 1999 21:15:59 -0500 Message-ID: <000201bebeb0$ab280200$0fc8a8c0@dave.ciminot.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Help, Please! I am trying to get ipfw and natd to work on a "simple" firewall. I have been using the instructions in the Complete FreeBSD book by Greg Lehey, and using defaults to set this thing up. That didn't work. I tried email correspondence with Dan Busarow, and I stumped him. I am using an FTP install of 3.2-RELEASE. I recompiled my kernel with the IPDIVERT and IPFIREWALL options. I have a permanant Internet connection at 208.149.231.25. My external IP is 208.149.231.29 on device xl1. My internal device, xl0 is set for IP 192.168.100.254. I cannot ping to the outside world. I get an error message "natd[122]: failed to write packet back (permission denied)". I want to hook up Windows computers to my network, use RFC1918 net addresses inside my network, and share a fast connection to the Internet on my network. This is not rocket science, but I can's seem to get this to work! Here are relevant details. I would appreciate any help. I am ready to hurt myself if I don't get this going soon. Dave Aas dave@ciminot.com ------------------------------------ rc.conf # This file now contains just the overrides from /etc/defaults/rc.conf # please make all changes to this file. # -- sysinstall generated deltas -- # saver="daemon" gateway_enable="YES" ifconfig_xl0="inet 192.168.100.254 netmask 255.255.255.0" pccard_ifconfig="NO" pccard_mem="DEFAULT" network_interfaces="xl0 xl1 lo0" ifconfig_xl1="inet 208.149.231.29 netmask 255.255.255.248" defaultrouter="208.149.231.25" hostname="gateway.kxmc.com" firewall_enable="YES" sendmail_enable="NO" natd_enable="YES" natd_interface="xl1" firewall_type="simple" ----------------------------------------- rc.local natd -use_sockets -same_ports -unregistered_only -dynamic -interface xl1 ------------------------------------------ rc.firewall ############ # Setup system for firewall service. # $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $ # Suck in the configuration variables. . /etc/defaults/rc.conf . /etc/rc.conf fi ############ # Define the firewall type in /etc/rc.conf. Valid values are: # open - will allow anyone in # client - will try to protect just this machine # simple - will try to protect a whole network # closed - totally disables IP services except via lo0 interface # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) # # For ``client'' and ``simple'' the entries below should be customized # Setup system for firewall service. # $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $ # Suck in the configuration variables. . /etc/defaults/rc.conf . /etc/rc.conf fi ############ # Define the firewall type in /etc/rc.conf. Valid values are: # open - will allow anyone in # client - will try to protect just this machine # simple - will try to protect a whole network # closed - totally disables IP services except via lo0 interface # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) # # For ``client'' and ``simple'' the entries below should be customized # appropriately. ############ # # If you don't know enough about packet filtering, we suggest that you # take time to read this book: # # Building Internet Firewalls # Brent Chapman and Elizabeth Zwicky # # O'Reilly & Associates, Inc # ISBN 1-56592-124-0 # http://www.ora.com/ # # For a more advanced treatment of Internet Security read: # # Firewalls & Internet Security # Repelling the wily hacker # William R. Cheswick, Steven M. Bellowin # # Addison-Wesley # ISBN 0-201-6337-4 # http://www.awl.com/ # if [ "x$1" != "x" ]; then firewall_type=$1 fi ############ # Set quiet mode if requested if [ "x$firewall_quiet" = "xYES" ]; then fwcmd="/sbin/ipfw -q" else fwcmd="/sbin/ipfw" fi ############ # Flush out the list before we begin. $fwcmd -f flush ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then $fwcmd add divert natd all from any to any via ${natd_interface} fi ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # they you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. # $fwcmd add 65000 pass all from any to any ############ # Only in rare cases do you want to change these rules $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 200 deny all from any to 127.0.0.0/8 $fwcmd add 200 deny all from any to 127.0.0.0/8 # Prototype setups. if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then $fwcmd add 65000 pass all from any to any elif [ "${firewall_type}" = "client" ]; then ############ # This is a prototype setup that will protect your system somewhat against # people from outside your own network. ############ # set these to your network and netmask and ip net="192.168.4.0" mask="255.255.255.0" ip="192.168.4.17" # Allow any traffic to or from my own net. $fwcmd add pass all from ${ip} to ${net}:${mask} $fwcmd add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow setup of incoming email $fwcmd add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only $fwcmd add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections $fwcmd add deny tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${ip} $fwcmd add pass udp from ${ip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${ip} $fwcmd add pass udp from ${ip} to any 123 # Everything else is denied as default. elif [ "${firewall_type}" = "simple" ]; then ############ # This is a prototype setup for a simple firewall. Configure this machine # as a named server and ntp server, and point all the machines on the inside # at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif="xl1" onet="208.149.231.0" omask="255.255.255.248" oip="208.149.231.29" # set these to your inside interface network and netmask and ip iif="xl0" inet="192.168.100.0" imask="255.255.255.0" iip="192.168.100.254" # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Allow traffice to or from internal network-did this to troubleshoot $fwcmd add pass all from ${iip} to ${inet}:${imask} via ${iif} $fwcmd add pass all from ${inet}:${imask} to ${iip} via ${iif} $fwcmd add pass all from ${oip} to ${iip} $fwcmd add pass all from ${iip} to ${oip} $fwcmd add pass all from ${oip} to ${iip}:${imask} $fwcmd add pass all from ${inet}:${imask} to ${oip} # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow setup of incoming email $fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW $fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then $fwcmd ${firewall_type} fi --------------------------------------------------- ipfw list 00100 divert 8668 ip from any to any via xl1 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 192.168.100.0/24 to any in recv xl1 00400 deny ip from 208.149.231.0/29 to any in recv xl0 00500 allow ip from 192.168.100.254 to 192.168.100.0/24 via xl0 00600 allow ip from 192.168.100.0/24 to 192.168.100.254 via xl0 00700 allow ip from 208.149.231.29 to 192.168.100.254 00800 allow ip from 192.168.100.254 to 208.149.231.29 00900 allow ip from 208.149.231.29 to 192.168.100.0/24 01000 allow ip from 192.168.100.0/24 to 208.149.231.29 01100 deny ip from 192.168.0.0/16 to any via xl1 01200 deny ip from any to 192.168.0.0/16 via xl1 01300 deny ip from 172.16.0.0/12 to any via xl1 01400 deny ip from any to 172.16.0.0/12 via xl1 01500 deny ip from 10.0.0.0/8 to any via xl1 01600 deny ip from any to 10.0.0.0/8 via xl1 01700 allow tcp from any to any established 01800 allow tcp from any to 208.149.231.29 25 setup 01900 allow tcp from any to 208.149.231.29 53 setup 02000 allow tcp from any to 208.149.231.29 80 setup 02100 deny log tcp from any to any in recv xl1 setup 02200 allow tcp from any to any setup 02300 allow udp from any 53 to 208.149.231.29 02400 allow udp from 208.149.231.29 to any 53 02500 allow udp from any 123 to 208.149.231.29 02600 allow udp from 208.149.231.29 to any 123 65535 deny ip from any to any ----------------------------------------------- ipfw show 00100 92 20136 divert 8668 ip from any to any via xl1 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 192.168.100.0/24 to any in recv xl1 00400 0 0 deny ip from 208.149.231.0/29 to any in recv xl0 00500 369 33990 allow ip from 192.168.100.254 to 192.168.100.0/24 via xl0 00600 474 19768 allow ip from 192.168.100.0/24 to 192.168.100.254 via xl0 00700 0 0 allow ip from 208.149.231.29 to 192.168.100.254 00800 0 0 allow ip from 192.168.100.254 to 208.149.231.29 00900 0 0 allow ip from 208.149.231.29 to 192.168.100.0/24 01000 0 0 allow ip from 192.168.100.0/24 to 208.149.231.29 01100 7 2296 deny ip from 192.168.0.0/16 to any via xl1 01200 0 0 deny ip from any to 192.168.0.0/16 via xl1 01300 0 0 deny ip from 172.16.0.0/12 to any via xl1 01400 0 0 deny ip from any to 172.16.0.0/12 via xl1 01500 0 0 deny ip from 10.0.0.0/8 to any via xl1 01600 0 0 deny ip from any to 10.0.0.0/8 via xl1 01700 0 0 allow tcp from any to any established 01800 0 0 allow tcp from any to 208.149.231.29 25 setup 01900 0 0 allow tcp from any to 208.149.231.29 53 setup 02000 0 0 allow tcp from any to 208.149.231.29 80 setup 02100 0 0 deny log tcp from any to any in recv xl1 setup 02200 0 0 allow tcp from any to any setup 02300 1 155 allow udp from any 53 to 208.149.231.29 02400 1 73 allow udp from 208.149.231.29 to any 53 02500 0 0 allow udp from any 123 to 208.149.231.29 02600 0 0 allow udp from 208.149.231.29 to any 123 65535 136 20997 deny ip from any to any -------------------------------------------------------- netstat -in Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll xl0 1500 00.50.04.03.d9.6a 584 0 389 0 0 xl0 1500 192.168.100 192.168.100.254 584 0 389 0 0 xl1 1500 00.50.04.0d.cf.f9 255 0 3 0 0 xl1 1500 208.149.231.2 208.149.231.29 255 0 3 0 0 lp0* 1500 0 0 0 0 0 tun0* 1500 0 0 0 0 0 sl0* 552 0 0 0 0 0 ppp0* 1500 0 0 0 0 0 lo0 16384 0 0 0 0 0 lo0 16384 127 127.0.0.1 0 0 0 0 0 ------------------------------------------------------------ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 208.149.231.25 UGSc 1 6 xl1 127.0.0.1 127.0.0.1 UH 0 0 lo0 192.168.100 link#1 UC 0 0 xl0 192.168.100.15 0:80:29:67:18:a9 UHLW 1 404 xl0 998 192.168.100.15 0:80:29:67:18:a9 UHLW 1 404 xl0 998 208.149.231.24/29 link#2 UC 0 0 xl1 208.149.231.25 0:c0:49:11:60:3f UHLW 2 8 xl1 999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message