Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Feb 1999 23:13:55 -0700 (MST)
From:      Brian Budnick <clubkid@bzzzz.com>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Simple FIREWALL
Message-ID:  <Pine.BSF.4.05.9902182301050.346-100000@stardust.bzzzz.com>

next in thread | raw e-mail | index | archive | help

I am running FreeBSD 3.1-RELEASE on a K6/166 that has 2 ethernet cards in
it. The ethernet cards are setup as follows:

ed1: ip: 209.90.111.199 netmask: 255.255.255.192 
pn0: ip: 10.0.0.1 netmask: 255.255.255.0

I'm trying to get a simple firewall up to protect several computers on our
network. I want it so that whenever we access the web from like 10.0.0.2
it goes thru 10.0.0.1 and then that machine will be the gateway to the
Internet. I want to be able to have access to Telnet/FTP/WWW/IRC from
the 10.0.0.2 machines, etc.

I did the following to the server 209.90.111.199 to get it to work:

/etc/defaults/rc.conf (looks as follows):

<snip>

### Network routing options: ###
defaultrouter="NO"              # Set to default gateway (or NO). 
static_routes=""                # Set to static route list (or leaveempty).
gateway_enable="YES"            # Set to YES if this host will be agateway. 
router_enable="NO"              # Set to YES to enable a routing daemon.
router="routed"                 # Name of routing daemon to use ifenabled. 
router_flags="-q"               # Flags for routing daemon.
mrouted_enable="NO"             # Do multicast routing (see/etc/mrouted.conf).
mrouted_flags=""                # Flags for multicast routing daemon.
ipxgateway_enable="NO"          # Set to YES to enable IPX routing.
ipxrouted_enable="NO"           # Set to YES to run the IPX routingdaemon.
ipxrouted_flags=""              # Flags for IPX routing daemon.
arpproxy_all=""                 # replaces obsolete kernel optionARP_PROXYALL.
forward_sourceroute="NO"        # do source routing (only ifgateway_enable is set to "YES")
accept_sourceroute="NO"         # accept source routed packets to us

<snip>

hostname="myname.my.domain"     # Set this!
nisdomainname="NO"              # Set to NIS domain if using NIS (or NO).
firewall_enable="YES"           # Set to YES to enable firewall functionality
firewall_type="simple"          # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"             # Set to YES to suppress rule display
natd_enable="NO"                # Enable natd (if firewall_enable == YES).
natd_interface="fxp0"           # Public interface to use with natd.
natd_flags=""                   # Additional flags for natd.
tcp_extensions="NO"             # Disallow RFC1323 extensions (or YES).
network_interfaces="lo0"        # List of network interfaces (lo0 is loopback).
ifconfig_lo0="inet 127.0.0.1"   # default loopback device configuration.

---

in my /etc/rc.firewall (under the simple section my configuration reads):

# set these to your outside interface network and netmask and ip  
    oif="ed1"
    onet="209.90.111.199/24"
    omask="255.255.255.192" 
    oip="209.90.111.199"
 
    # set these to your inside interface network and netmask and ip
    iif="pn0"
    inet="10.0.0.1/24"
    imask="255.255.255.0"
    iip="10.0.0.1"

    # Stop spoofing
    $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
    $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

    # Stop RFC1918 nets on the outside interface
    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} out
    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}

    # Allow TCP through if setup succeeded
    # $fwcmd add pass tcp from any to any established
    $fwcmd add pass all from any to any
   
    # allow IDENT for IRC
    $fwcmd add allow tcp from any to ${oif} 113
    $fwcmd add allow udp from any to ${oif} 113
 
 # Allow setup of incoming email
    $fwcmd add pass tcp from any to ${oip} 25 setup

    # Allow access to our DNS
    $fwcmd add pass tcp from any to ${oip} 53 setup

    # Allow access to our WWW
    $fwcmd add pass tcp from any to ${oip} 80 setup

    # Reject&Log all setup of incoming connections from the outside
    #$fwcmd add deny log tcp from any to any in via ${oif} setup

    # Allow setup of any other TCP connection
    $fwcmd add pass tcp from any to any setup

    # Allow DNS queries out in the world
    $fwcmd add pass udp from any 53 to ${oip}
    $fwcmd add pass udp from ${oip} to any 53

    # Allow NTP queries out in the world
    $fwcmd add pass udp from any 123 to ${oip}
    $fwcmd add pass udp from ${oip} to any 123

    # Everything else is denied as default.

elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
        $fwcmd ${firewall_type}
fi
 
---

On Bootup when it displays the rulesets it seems to have a problem with
one of them but i'm not sure which one.

i know this message is kind of long but i'm really wanting to get this to
work and would appreciate anyones kind help to let me know what's wrong.

---

i tried to setup a work station as follows:
ip: 10.0.0.2
subnetmask: 255.255.255.0
gateway: 10.0.0.1

i could ping 10.0.0.1, of course i couldn't ping outside our network, but
I couldn't telnet, i couldn't do web, or irc, or anything... 

Please Help!

Thanks.

Brian





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9902182301050.346-100000>