Site Navigation

Date:      01 May 2002 18:43:52 +0100
From:      "S. Roberts" <sroberts@dsl.pipex.com>
To:        freebsd-questions@freebsd.org
Subject:   Firewall config and logs
Message-ID:  <1020275032.292.16.camel@Demon.Strobe.org>

---

next in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Hello,
     I have a question about my firewall configs.

I've progressed from connecting over user ppp via 56k dial-up external
modem with a firewall rule-set (and Portsentry as per the mention in
Unleashed) that I thought worked well enough.

I've since moved on the connecting via DSL (dynamic IP) - PPPoE with a
new ISP. What I've done is simply *added* relevant entries to my
firewall rules so as to cater for new IP addresses provided by my new
ISP. I still have the dial-up account with the first ISP, I just don't
use it as often.

Here's what I figured:
Seeing that I now connect via my nic, I might be able to remove entries
for tun0 in my rules and replace them with that for my nic card that's
connected to my router.

What I found is that I could no longer ping my router, the nic, nor
anything over the Internet.

I'm somewhat confused by this. If I'm using my nic, why should removing
entries for tun0 (previously set up for my serial modem) cause the
firewall to prevent connection?

I'd appreciate someone clearing this up for me, please.

Further to this, I would also be grateful for assistance in setting up
logging for my firewall operations (record entries of denied packets /
connection attempts). I've included a sanitized copy of my rules here
for clarity. Should you require more info, please let me know.

Uname:
$ uname -a
FreeBSD <snip> 4.5-STABLE FreeBSD 4.5-STABLE #0: Sun Apr 28 12:24:07 BST
2002 <snip>:/usr/src/sys/compile/IRON  i386
$ 

Firewall options in rc.conf:

firewall_enable="YES"
firewall_script="/etc/firewall/fwrules"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-dynamic"


Thanks for the time,

Stacey
-- 
Stacey Roberts B.Sc. (HONS) Computer Science
Network Systems Engineer

[-- Attachment #2 --]
<?xml version="1.0"?>
<!DOCTYPE abiword PUBLIC "-//ABISOURCE//DTD AWML 1.0 Strict//EN" "http://www.abisource.com/awml.dtd">;
<abiword xmlns="http://www.abisource.com/awml.dtd" xmlns:awml="http://www.abisource.com/awml.dtd" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:svg="http://www.w3.org/2000/svg" xmlns:fo="http://www.w3.org/1999/XSL/Format" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:dc="http://purl.org/dc/elements/1.1/" version="1.0.0" fileformat="1.0" styles="unlocked">
<!-- =====================================================================  -->
<!-- This file is an AbiWord document.                                      -->
<!-- AbiWord is a free, Open Source word processor.                         -->
<!-- You may obtain more information about AbiWord at www.abisource.com     -->
<!-- You should not edit this file by hand.                                 -->
<!-- =====================================================================  -->

<styles>
<s type="P" name="Normal" basedon="" followedby="Current Settings" props="font-family:Times New Roman; margin-top:0pt; font-variant:normal; margin-left:0pt; text-indent:0in; widows:2; font-style:normal; font-weight:normal; text-decoration:none; color:000000; line-height:1.0; text-align:left; margin-bottom:0pt; text-position:normal; margin-right:0pt; bgcolor:transparent; font-size:12pt; font-stretch:normal"/>
</styles>
<pagesize pagetype="Letter" orientation="portrait" width="8.500000" height="11.000000" units="in" page-scale="1.000000"/>
<section props="page-margin-footer:0.5in; page-margin-header:0.5in">
<p style="Normal"><c props="lang:en-US"># Firewall Rules </c></p>
<p style="Normal"><c props="lang:en-US"># Define Firewall Command</c></p>
<p style="Normal"><c props="lang:en-US">fwcmd="/sbin/ipfw"</c></p>
<p style="Normal"><c props="lang:en-US"></c></p>
<p style="Normal"><c props="lang:en-US"># Force Flushing of Current Rule-Set Before Reload</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd -f flush</c></p>
<p style="Normal"><c props="lang:en-US"></c></p>
<p style="Normal"><c props="lang:en-US"># Divert All Packets Through Tunnel Device</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add divert natd all from any to any via tun0</c></p>
<p style="Normal"><c props="lang:en-US"></c></p>
<p style="Normal"><c props="lang:en-US"># Block all incoming Fragmented packets</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add deny all from any to any in frag</c></p>
<p style="Normal"><c props="lang:en-US"></c></p>
<p style="Normal"><c props="lang:en-US"># Reject &amp; Log all setup of incoming connections from outside</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add deny log tcp from any to any in via &lt;nic&gt; setup</c></p>
<p style="Normal"><c props="lang:en-US"></c></p>
<p style="Normal"><c props="lang:en-US"># Allow All Data from my NIC and Localhost</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow ip from any to any via lo0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow ip from any to any via &lt;nic&gt;</c></p>
<p style="Normal"><c props="lang:en-US"></c></p>
<p style="Normal"><c props="lang:en-US"># Allow All Connections I Initiate</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow tcp from any to any out xmit &lt;nic&gt; setup</c></p>
<p style="Normal"><c props="lang:en-US"></c></p>
<p style="Normal"><c props="lang:en-US"># Once Connection Established, Allow To Stay Open</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow tcp from any to any via &lt;nic&gt; established</c></p>
<p style="Normal"><c props="lang:en-US"></c></p>
<p style="Normal"><c props="lang:en-US"># Send Reset To All Ident Packets</c></p>
<p style="Normal"><c props="lang:en-US"># Allow Outgoing DNS Queries ONLY to These Specified Servers</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from any to &lt;isp dns&gt; out xmit sis0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from any to &lt;isp dns&gt; 53 out xmit sis0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from any to &lt;isp dns&gt; 53 out xmit tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from any to &lt;isp dns&gt; 53 out xmit tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from any to &lt;isp dns&gt; 53 out xmit tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from any to &lt;isp dns&gt; 53 out xmit tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from any to &lt;isp dns&gt; 53 out xmit tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from any to &lt;isp dns&gt; 53 out xmit tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from any to &lt;isp dns&gt; 53 out xmit tun0</c></p>
<p style="Normal"><c props="lang:en-US"></c></p>
<p style="Normal"><c props="lang:en-US"># Allow DNS Queries Back In With Results</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from &lt;isp dns&gt; 53 to any in recv sis0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from &lt;isp dns&gt; 53 to any in recv sis0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from &lt;isp dns&gt; 53 to any in recv tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from &lt;isp dns&gt; 53 to any in recv tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from &lt;isp dns&gt; 53 to any in recv tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from &lt;isp dns&gt; 53 to any in recv tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from &lt;isp dns&gt; 53 to any in recv tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from &lt;isp dns&gt; 53 to any in recv tun0</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow udp from &lt;isp dns&gt; 53 to any in recv tun0</c></p>
<p style="Normal"><c props="lang:en-US"></c></p>
<p style="Normal"><c props="lang:en-US"># Allow ICMP For PING and Traceroute</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add allow icmp from any to any</c></p>
<p style="Normal"><c props="lang:en-US"></c></p>
<p style="Normal"><c props="lang:en-US"># Deny The Rest</c></p>
<p style="Normal"><c props="lang:en-US">$fwcmd add deny log ip from any to any</c></p>
</section>
</abiword>

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1020275032.292.16.camel>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact