Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 25 Jun 1999 08:38:18 -0600
From:      Oscar Bonilla <obonilla@fisicc-ufm.edu>
To:        "David B. Aas" <dave@ciminot.com>
Cc:        questions@FreeBSD.ORG
Subject:   Re: I can't get ipfw and natd to work!
Message-ID:  <19990625083818.B366@fisicc-ufm.edu>
In-Reply-To: <000201bebeb0$ab280200$0fc8a8c0@dave.ciminot.com>; from David B. Aas on Thu, Jun 24, 1999 at 09:15:59PM -0500
References:  <000201bebeb0$ab280200$0fc8a8c0@dave.ciminot.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jun 24, 1999 at 09:15:59PM -0500, David B. Aas wrote:
> Help, Please!
> 
> I am trying to get ipfw and natd to work on a "simple" firewall. I have been
> using the instructions in the Complete FreeBSD book by Greg Lehey, and using
> defaults to set this thing up. That didn't work. I tried email
> correspondence with Dan Busarow, and I stumped him.

Let's go back to the basics... 

1. Sit at the console (i.e. never do this remotely)
2. Leave your firewall open
3. Decide which sort of traffic you want to let through now
4. Add ONE RULE AT A TIME and test if you've not broken anything
5. Go back to 3

It's really easy to mess up a firewall, especially with nat involved.

> I am using an FTP install of 3.2-RELEASE. I recompiled my kernel with the
> IPDIVERT and IPFIREWALL options. I have a permanant Internet connection at
> 208.149.231.25. My external IP is 208.149.231.29 on device xl1. My internal
> device, xl0 is set for IP 192.168.100.254.
> 
> I cannot ping to the outside world. I get an error message "natd[122]:
> failed to write packet back (permission denied)". I want to hook up Windows
> computers to my network, use RFC1918 net addresses inside my network, and
> share a fast connection to the Internet on my network. This is not rocket
> science, but I can's seem to get this to work!
> 
> Here are relevant details. I would appreciate any help. I am ready to hurt
> myself if I don't get this going soon.
> 
> Dave Aas
> dave@ciminot.com
> ------------------------------------
> rc.conf
> firewall_type="simple"

I allways start with "open" and work from there. It is my impression that
"simple" was designed for firewalling between two valid IP nets. i.e. not
nat.

> -----------------------------------------
> rc.local
> natd -use_sockets -same_ports -unregistered_only -dynamic -interface xl1
> ------------------------------------------
> rc.firewall
> ############
> ############
> # These rules are required for using natd.  All packets are passed to
> # natd before they encounter your remaining rules.  The firewall rules
> # will then be run again on each packet after translation by natd,
> # minus any divert rules (see natd(8)).
> if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
>         $fwcmd add divert natd all from any to any via ${natd_interface}
> fi

This is something you will allways leave here.

> elif [ "${firewall_type}" = "simple" ]; then
> 
>     # set these to your outside interface network and netmask and ip
>     oif="xl1"
>     onet="208.149.231.0"
>     omask="255.255.255.248"
>     oip="208.149.231.29"
> 
>     # set these to your inside interface network and netmask and ip
>     iif="xl0"
>     inet="192.168.100.0"
>     imask="255.255.255.0"
>     iip="192.168.100.254"
> 
>     # Stop spoofing
>     $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
>     $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

These are ok.

>     # Allow traffice to or from internal network-did this to troubleshoot
>     $fwcmd add pass all from ${iip} to ${inet}:${imask} via ${iif}
>     $fwcmd add pass all from ${inet}:${imask} to ${iip} via ${iif}

I don't think you need these two, at least not with the "via ${iif}"

>     $fwcmd add pass all from ${oip} to ${iip}
>     $fwcmd add pass all from ${iip} to ${oip}
>     $fwcmd add pass all from ${oip} to ${iip}:${imask}
>     $fwcmd add pass all from ${inet}:${imask} to ${oip}

These four are not needed. I would say delete those past 6 rules.

> 
>     # Stop RFC1918 nets on the outside interface
>     $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
>     $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
>     $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
> 

I usually don't do this, but I would test it first.

>     # Allow TCP through if setup succeeded
>     $fwcmd add pass tcp from any to any established
> 
>     # Allow setup of incoming email
>     $fwcmd add pass tcp from any to ${oip} 25 setup

Is this machine your mail server?

> 
>     # Allow access to our DNS
>     $fwcmd add pass tcp from any to ${oip} 53 setup

And your dns server?

> 
>     # Allow access to our WWW
>     $fwcmd add pass tcp from any to ${oip} 80 setup

And your www server?

> 
>     # Reject&Log all setup of incoming connections from the outside
>     $fwcmd add deny log tcp from any to any in via ${oif} setup
> 
>     # Allow setup of any other TCP connection
>     $fwcmd add pass tcp from any to any setup
> 
>     # Allow DNS queries out in the world
>     $fwcmd add pass udp from any 53 to ${oip}
>     $fwcmd add pass udp from ${oip} to any 53
> 
>     # Allow NTP queries out in the world
>     $fwcmd add pass udp from any 123 to ${oip}
>     $fwcmd add pass udp from ${oip} to any 123
> 
>     # Everything else is denied as default.
> 
> elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
>         $fwcmd ${firewall_type}
> fi
> ---------------------------------------------------


I'd say the moral of the story is:

Start with a minimalist firewall (one with only the diver rule and the
deny all from any to any). Then start adding rules (one at a time) until you
get it right.

email if you need more help.

-Oscar

p.s. you can't ping because you don't have a rule for icmp and in your
"debbug pass all rules" you're only allowing the firewall itself to do
it. not the clients. 


-- 
For PGP Public Key: finger obonilla@fisicc-ufm.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990625083818.B366>