From owner-freebsd-questions Fri Feb 19 6:43: 2 1999 Delivered-To: freebsd-questions@freebsd.org Received: from mortar.carlson.com (mortar.carlson.com [208.240.12.98]) by hub.freebsd.org (Postfix) with ESMTP id B36651166C for ; Fri, 19 Feb 1999 06:42:49 -0800 (PST) (envelope-from veldy@visi.com) Received: from mortar.carlson.com (root@localhost) by mortar.carlson.com with ESMTP id IAA12004; Fri, 19 Feb 1999 08:42:28 -0600 (CST) Received: from w142844 ([172.25.99.35]) by mortar.carlson.com with SMTP id IAA11990; Fri, 19 Feb 1999 08:42:27 -0600 (CST) Message-ID: <004301be5c16$31130ac0$236319ac@w142844.carlson.com> From: "Thomas T. Veldhouse" To: "Brian Budnick" , Subject: Re: Simple FIREWALL Date: Fri, 19 Feb 1999 08:43:18 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-Mimeole: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG You also need to enable NATD and use the interface for the outside world, ed1 as you NATD interface. I usually totally destroy /etc/rc.firewall and rewrite it to my own needs. I recommend you also put IPFIREWALL_VERBOSE in your kernel and add logging to you firewall so that you can see the IP of rule breakers on your console. I have caught a few people trying to break into my system, and my IP is dyanmic via a cable modem (one-way). Tom Veldhouse veldy@visi.com -----Original Message----- From: Brian Budnick To: freebsd-questions@FreeBSD.ORG Date: Friday, February 19, 1999 12:14 AM Subject: Simple FIREWALL > >I am running FreeBSD 3.1-RELEASE on a K6/166 that has 2 ethernet cards in >it. The ethernet cards are setup as follows: > >ed1: ip: 209.90.111.199 netmask: 255.255.255.192 >pn0: ip: 10.0.0.1 netmask: 255.255.255.0 > >I'm trying to get a simple firewall up to protect several computers on our >network. I want it so that whenever we access the web from like 10.0.0.2 >it goes thru 10.0.0.1 and then that machine will be the gateway to the >Internet. I want to be able to have access to Telnet/FTP/WWW/IRC from >the 10.0.0.2 machines, etc. > >I did the following to the server 209.90.111.199 to get it to work: > >/etc/defaults/rc.conf (looks as follows): > > > >### Network routing options: ### >defaultrouter="NO" # Set to default gateway (or NO). >static_routes="" # Set to static route list (or leaveempty). >gateway_enable="YES" # Set to YES if this host will be agateway. >router_enable="NO" # Set to YES to enable a routing daemon. >router="routed" # Name of routing daemon to use ifenabled. >router_flags="-q" # Flags for routing daemon. >mrouted_enable="NO" # Do multicast routing (see/etc/mrouted.conf). >mrouted_flags="" # Flags for multicast routing daemon. >ipxgateway_enable="NO" # Set to YES to enable IPX routing. >ipxrouted_enable="NO" # Set to YES to run the IPX routingdaemon. >ipxrouted_flags="" # Flags for IPX routing daemon. >arpproxy_all="" # replaces obsolete kernel optionARP_PROXYALL. >forward_sourceroute="NO" # do source routing (only ifgateway_enable is set to "YES") >accept_sourceroute="NO" # accept source routed packets to us > > > >hostname="myname.my.domain" # Set this! >nisdomainname="NO" # Set to NIS domain if using NIS (or NO). >firewall_enable="YES" # Set to YES to enable firewall functionality >firewall_type="simple" # Firewall type (see /etc/rc.firewall) >firewall_quiet="NO" # Set to YES to suppress rule display >natd_enable="NO" # Enable natd (if firewall_enable == YES). >natd_interface="fxp0" # Public interface to use with natd. >natd_flags="" # Additional flags for natd. >tcp_extensions="NO" # Disallow RFC1323 extensions (or YES). >network_interfaces="lo0" # List of network interfaces (lo0 is loopback). >ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. > >--- > >in my /etc/rc.firewall (under the simple section my configuration reads): > ># set these to your outside interface network and netmask and ip > oif="ed1" > onet="209.90.111.199/24" > omask="255.255.255.192" > oip="209.90.111.199" > > # set these to your inside interface network and netmask and ip > iif="pn0" > inet="10.0.0.1/24" > imask="255.255.255.0" > iip="10.0.0.1" > > # Stop spoofing > $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} > $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} out > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > > # Allow TCP through if setup succeeded > # $fwcmd add pass tcp from any to any established > $fwcmd add pass all from any to any > > # allow IDENT for IRC > $fwcmd add allow tcp from any to ${oif} 113 > $fwcmd add allow udp from any to ${oif} 113 > > # Allow setup of incoming email > $fwcmd add pass tcp from any to ${oip} 25 setup > > # Allow access to our DNS > $fwcmd add pass tcp from any to ${oip} 53 setup > > # Allow access to our WWW > $fwcmd add pass tcp from any to ${oip} 80 setup > > # Reject&Log all setup of incoming connections from the outside > #$fwcmd add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > $fwcmd add pass tcp from any to any setup > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${oip} > $fwcmd add pass udp from ${oip} to any 53 > > # Allow NTP queries out in the world > $fwcmd add pass udp from any 123 to ${oip} > $fwcmd add pass udp from ${oip} to any 123 > > # Everything else is denied as default. > >elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then > $fwcmd ${firewall_type} >fi > >--- > >On Bootup when it displays the rulesets it seems to have a problem with >one of them but i'm not sure which one. > >i know this message is kind of long but i'm really wanting to get this to >work and would appreciate anyones kind help to let me know what's wrong. > >--- > >i tried to setup a work station as follows: >ip: 10.0.0.2 >subnetmask: 255.255.255.0 >gateway: 10.0.0.1 > >i could ping 10.0.0.1, of course i couldn't ping outside our network, but >I couldn't telnet, i couldn't do web, or irc, or anything... > >Please Help! > >Thanks. > >Brian > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message