From owner-freebsd-questions@FreeBSD.ORG Wed Sep 26 20:12:28 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0871816A46D for ; Wed, 26 Sep 2007 20:12:28 +0000 (UTC) (envelope-from cyocum@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.185]) by mx1.freebsd.org (Postfix) with ESMTP id C337113C4A8 for ; Wed, 26 Sep 2007 20:12:27 +0000 (UTC) (envelope-from cyocum@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so1900141rvb for ; Wed, 26 Sep 2007 13:12:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=ip0ti9kOjzh4M1wCbWCr6hQhDewJxkZ3YnzZJE/eWTg=; b=ldnbuBennVUqEKoFjuTlH5nL3IK9Th5LuRJM6J/89BdhNyDk/zL+LcFUeRjRh/xUobS02BQyCe/hDfrdnn3+OfusciSSGfN8/9k83DZr8U79rIyoRiC2uo1TpiW0dpdyzsHFi+M0gS1b0bhlJY/3Jq7E4alL5vXBt7KWkmjQII0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ZlKmochnnjN3M23FzYLSs+0s027PkPX5VOjeemhXgYSxCeGzHAWfwfbWM9UbHHG9X3iGse5U1Jet+Eb1MCIXOQDVzyVM0wnWt2P2/ZxIdHiaBB+0+aVn89uv6AXKfcbQ1AGb1Q94aCE34nDBFeiI67aqhtV3i/pf2lZK8WhrYcE= Received: by 10.141.88.3 with SMTP id q3mr368217rvl.1190835989382; Wed, 26 Sep 2007 12:46:29 -0700 (PDT) Received: by 10.141.13.16 with HTTP; Wed, 26 Sep 2007 12:46:29 -0700 (PDT) Message-ID: <82bb54530709261246p203f751fk2df592d30b003b89@mail.gmail.com> Date: Wed, 26 Sep 2007 20:46:29 +0100 From: "Chris Yocum" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Dumb IPFW Question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2007 20:12:28 -0000 Hi Everyone, Just to explain a bit, I have installed a FreeBSD 6.2 system on a machine to act as a natd router. I turned on the firewall and set the firewall rule script to the one from the handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html) (Example Ruleset #2 at the bottom). After some investigation when I could not get www, I discovered that somehow port 53 is blocked even when I explicitly open it. This happens when I uncomment the rule "# Reject & Log all unauthorized out going connections to the public Internet $cmd 450 deny log all from any to any out via $pif". So essentially, when I use that line, I loose my DNS and my www will not work anymore. I also get "Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP :53 :53 out via sis0" in my /var/log/security file. I have appended the ipfw rules below so you can see all the changes that I made from the original. Otherwise, it all works great and I could not be happier. Thank you in advance for any help that you may be able to provide. I am sure that it is some small blunder on my part. Thanks!, Chris #!/bin/sh cmd="ipfw -q add" skip="skipto 800" pif="sis0" # public interface name of NIC # facing the public Internet ################################################################# # No restrictions on Inside LAN Interface for private network # Change xl0 to your LAN NIC interface name ################################################################# $cmd 005 allow all from any to any via xl0 ################################################################# # No restrictions on Loopback Interface ################################################################# $cmd 010 allow all from any to any via lo0 ################################################################# # check if packet is inbound and nat address if it is ################################################################# $cmd 014 divert natd ip from any to any in via $pif ################################################################# # Allow the packet through if it has previous been added to the # the "dynamic" rules table by a allow keep-state statement. ################################################################# $cmd 015 check-state ################################################################# # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public Internet. ################################################################# # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 023 $skip udp from any to 53 out via $pif setup keep-state $cmd 024 $skip udp from any to 53 out via $pif setup keep-state $cmd 025 $skip udp from any to 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state #for some reason this is the university's IMAP setting $cmd 062 $skip tcp from any to any 993 out via $pif setup keep-state # Allow out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (i.e. news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out via $pif keep-state # allow out VPN $cmd 140 $skip tcp from any to any 1723 out via $pif keep-state ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny ident $cmd 315 deny tcp from any to any 113 in via $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 320 deny tcp from any to any 137 in via $pif $cmd 321 deny tcp from any to any 138 in via $pif $cmd 322 deny tcp from any to any 139 in via $pif $cmd 323 deny tcp from any to any 81 in via $pif # Deny any late arriving packets $cmd 330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 332 deny tcp from any to any established in via $pif # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for 'user ppp' type connection to # the public Internet. This is the same IP address you captured # and used in the outbound section. $cmd 360 allow udp from to any 68 in via $pif keep-state #allow in information from the ISP's DNS $cmd 361 allow udp from 53 to any in via $pif keep-state $cmd 362 allow udp from 53 to any in via $pif keep-state # Allow in standard www function because I have Apache server #$cmd 370 allow tcp from any to any 80 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID & PW are passed over public # Internet as clear text. # Delete this sample group if you do not have telnet server enabled. #$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 # Reject & Log all unauthorized incoming connections from the public Internet $cmd 400 deny log all from any to any in via $pif #---this is the line that causes my DNS to stop working--- # Reject & Log all unauthorized out going connections to the public Internet #$cmd 450 deny log all from any to any out via $pif # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any ################ End of IPFW rules file ###############################