Date: Wed, 4 Jul 2001 18:31:41 +0200 From: "Christoph Mathys" <cmathys@bluewin.ch> To: "FreeBSD" <questions@freebsd.org> Subject: ipf an DoD Message-ID: <ABELIDDNMBPCBGKEFICPEEJJCBAA.cmathys@bluewin.ch>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
hello everybody
I have a problem with ipf and the Dial on Demand-feature. until now
I havn't got any idea how to solve the problem. I use user-ppp to connect
to the internet, ipf for portfiltering and ipnat for Network adress
translation. It all works all right if I reload the rules after booting up.
but right after boot-up the traffic I'm not able to bring the link up by a
request to port 80. I'm able to ping the 4.3BSD-Gateway on the internal
interface,
but I can't connect out until I reloaded the rules (ipf -Fa -f
/etc/iptest.rules).
To bring the link up I send a request for an external
resource port 80 to the BSD-Gateway, with telnet most of the time (telnet
123.123.123.123 80).
I have inclouded the ppp.conf, iptest.rules (the ipf-rules), ipnat.rules
(ipnat rules)
and rc.conf. I configured the Kernel with the option IPFILTER,
IPFILTER_DEFAULT_BLOCK
and IPFILTER_LOG. I hape somebody can help me. If you need some additional
information, please
mail me (mailto:xeon@gmx.ch)
Chris
[-- Attachment #2 --]
#File Date June the 23th 2001 Time:0016
#(c) C. Mathys
map tun0 192.168.10.0/24 -> 0/32 proxy port ftp ftp/tcp
map tun0 192.168.10.0/24 -> 0/32 portmap tcp/udp 20000:30000
#This maps all traffic comming from 192.168.10.0 to the tun0-device
#0/32 means that the adress to which the packet is translated is the
#one received from isp. portmap menas that the sourceport of an
#outgoing packet is translated to a value between the 2 specified.
[-- Attachment #3 --]
#loopback interface
pass in quick on lo0 all
pass out quick on lo0 all
#internal interface
pass in quick on ed0 all
pass out quick on ed0 all
#group selection
block in quick on tun0 all head 10 #anti spoofing
block out quick on tun0 all head 20 #outgoing traffic
#anti spoofing rules on tun0 for incoming traffic
block in log quick on tun0 from 127.0.0.0/8 to any group 10 #loopback subnet
block in log quick on tun0 from 169.254.0.0/16 to any group 10 #auto systemconfig
block in log quick on tun0 from 172.16.0.0/16 to any group 10 #private adress space
block in log quick on tun0 from 192.168.0.0/16 to any group 10 #private adress space
block in log quick on tun0 from 224.0.0.0/3 to any group 10 #multicast
#outgoing traffic on tun0
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port = 20 flags S keep state group 20 #ftpdata
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port = 21 flags S keep state group 20 #ftp
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port = 25 flags S keep state group 20 #smtp
pass out quick on tun0 proto udp from 192.168.10.0/24 to any port = 53 keep state group 20 #dns
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port = 53 flags S keep state group 20 #dns
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port = 80 flags S keep state group 20 #http
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port = 110 flags S keep state group 20 #pop3
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port = 443 flags S keep state group 20 #https
pass out quick on tun0 proto icmp from 192.168.10.0/24 to any keep state group 20
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port = 7000 flags S keep state group 20 #irc-chat on bluewin
#pass out log quick on tun0 from 192.168.10.0/24 to any
[-- Attachment #4 --]
# -- sysinstall generated deltas -- #
# Created: Sun Jun 17 00:45:58 2001
# Enable network daemons for user convenience.
# This file now contains just the overrides from /etc/defaults/rc.conf
# please make all changes to this file.
network_interfaces="lo0 ed0"
defaultrouter="NO"
gateway_enable="YES"
hostname="hwbsd.spiele.local"
ifconfig_ed0="inet 192.168.10.81 netmask 255.255.255.0"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="YES"
moused_port="/dev/cuaa0"
moused_type="auto"
sendmail_enable="NO"
sshd_enable="YES"
router_enable="NO"
ipfilter_enable="YES"
ipfilter_rules="/etc/iptest.rules"
ipfilter_flags=""
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
ipmon_enable="YES"
ipmon_flags="-D /var/log/firewall.log"
ppp_enable="YES"
ppp_mode="auto"
ppp_nat="NO"
ppp_profile="bluewin"
ppp_user="root"
[-- Attachment #5 --]
#################################################################
# PPP Sample Configuration File
# Originally written by Toshiharu OHNO
# Simplified 5/14/1999 by wself@cdrom.com
#
# See /usr/share/examples/ppp/ for some examples
#
# $FreeBSD: src/etc/ppp/ppp.conf,v 1.2.2.4 2001/02/22 23:28:42 brian Exp $
#################################################################
default:
set device /dev/cuaa1
set log Phase Chat LCP IPCP CCP tun command
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
\"\" AT OK-AT-OK \\ATDT\\T TIMEOUT 40 CONNECT"
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
set timeout 300 # 5 minute idle timer (the default)
disable lqr
set log +tcp/ip
#dialup filter
set filter dial 0 permit 0 0 tcp dst eq 80
set filter dial 1 deny 0/0 0/0
#keep alive filter
set filter alive 0 deny 0 0 udp dst eq 137 #NETBIOS name service
set filter alive 1 deny 0 0 udp dst eq 138 #NETBIOS datagramm service
set filter alive 2 deny 0 0 udp dst eq 139 #NETBIOS session service
set filter alive 3 deny 0 0 udp src eq 137
set filter alive 4 deny 0 0 udp src eq 138
set filter alive 5 deny 0 0 udp src eq 139
set filter alive 6 deny 0 MYADDR icmp #pings to me from outside
set filter alive 7 deny 0 0 udp src eq 520 #routed
set filter alive 8 deny 0 0 udp dst eq 520 #routed
set filter alive 9 deny 0 0 udp src eq 513 #rwhod
set filter alive 10 deny 0 0 udp src eq 525 #timed
set filter alive 11 deny 0 205.188.179.233/32 #ICQ-server 1
set filter alive 12 deny 0 64.12.162.57 #ICQ-Server 2
set filter alive 13 permit 0/0 0/0
bluewin:
set phone 2365482365
set authname myusername
set authkey mypassword
add! default HISADDR # Add a (sticky) default route
enable dns # request DNS info (for resolv.conf)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ABELIDDNMBPCBGKEFICPEEJJCBAA.cmathys>