Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 12 Dec 2000 16:28:46 -0700
From:      "Carlos Andrade" <carlos@rjstech.com>
To:        <freebsd-ipfw@FreeBSD.ORG>
Subject:   sigh, today is just not my day.
Message-ID:  <000101c06493$46aa2620$fadef9ce@rjstech.com>

next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.

------=_NextPart_000_0002_01C06458.9A4B4E20
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Right, first off thank you to all who helped me out with the
kern.securelevel issue.  Okay here we go, the major reason for me to be
doing this is that my boss wants a firewall ASAP.  She purchased Checkpoint
for $2000-2500, and it needed a subscription ~$400/year.  I talked to her
about using a Unix based firewall solution and the cost would be only in
work hours (unlike checkpoint which would add $$$).  She liked the idea.
Our ISP uses FreeBSD, so I thought what the hell why not.  I am coming from
a Linux/SunOS background, but more of a CS student than as a admin.  This
email list and its members have been great to me.  Okay so the conundrum.  I
want to test the FreeBSD (4.1.1) machine.  It has two nicks ifconfig comes
up great (please see attachment info.txt).  I have a set of firewall rules
in ipfw that seem to do the trick (please see attachment rc_firewall.txt).
So here goes
*** note that xl1 has no carrier since I unplugged the cross over cable ***

My machine(win98) 		freebsd machine
ip 192.168.1.250			192.168.1.225 (inside interface)
netmask 255.255.255.224		255.255.255.224
its gateway 192.168.1.225 (the firewall machine)
is dns servers are the same
as the freebsd machines (ie our isp dns servers)

right.  So the freebsd machine can see the out side world.  When I have my
machine behind the firewall I cant see Jack (if at all).  What I am doing
wrong?  Any help will be appreciated.  I have been poring over the freebsd
website, freebsddiary.org, and other sites.
you guys/gals rock

-Carlos Andrade
----
Carlos A. Andrade
IS Manager
RJS Technologies
915.845.5228 ext 13  915.845.2119 fax
carlos@rjstech.com

------=_NextPart_000_0002_01C06458.9A4B4E20
Content-Type: text/plain;
	name="rc_firewall.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="rc_firewall.txt"

############=0A=
# Setup system for firewall service.=0A=
# $FreeBSD: src/etc/rc.firewall,v 1.30.2.6 2000/09/21 07:44:53 ru Exp $=0A=
=0A=
# Suck in the configuration variables.=0A=
if [ -r /etc/defaults/rc.conf ]; then=0A=
	. /etc/defaults/rc.conf=0A=
	source_rc_confs=0A=
elif [ -r /etc/rc.conf ]; then=0A=
	. /etc/rc.conf=0A=
fi=0A=
=0A=
############=0A=
# Define the firewall type in /etc/rc.conf.  Valid values are:=0A=
#   open     - will allow anyone in=0A=
#   client   - will try to protect just this machine=0A=
#   simple   - will try to protect a whole network=0A=
#   closed   - totally disables IP services except via lo0 interface=0A=
#   UNKNOWN  - disables the loading of firewall rules=0A=
#   filename - will load the rules in the given filename (full path =
required)=0A=
#=0A=
# For ``client'' and ``simple'' the entries below should be customized=0A=
# appropriately=0A=
=0A=
############=0A=
#=0A=
# If you don't know enough about packet filtering, we suggest that you=0A=
# take time to read this book:
#
#	Building Internet Firewalls
#	Brent Chapman and Elizabeth Zwicky
#
#	O'Reilly & Associates, Inc
#	ISBN 1-56592-124-0
#	http://www.ora.com/
#
# For a more advanced treatment of Internet Security read:
#
#	Firewalls & Internet Security
#	Repelling the wily hacker
#	William R. Cheswick, Steven M. Bellowin
#
#	Addison-Wesley
#	ISBN 0-201-6337-4
#	http://www.awl.com/
#
=0A=
if [ -n "${1}" ]; then=0A=
	firewall_type=3D"${1}"=0A=
fi=0A=
=0A=
############
# Set quiet mode if requested
#
case ${firewall_quiet} in=0A=
[Yy][Ee][Ss])=0A=
	fwcmd=3D"/sbin/ipfw -q"=0A=
	;;=0A=
*)=0A=
	fwcmd=3D"/sbin/ipfw"=0A=
	;;=0A=
esac=0A=
=0A=
############
# Flush out the list before we begin.
#
${fwcmd} -f flush=0A=
=0A=
############
# These rules are required for using natd.  All packets are passed to
# natd before they encounter your remaining rules.  The firewall rules
# will then be run again on each packet after translation by natd,
# minus any divert rules (see natd(8)).
#
case ${natd_enable} in=0A=
[Yy][Ee][Ss])=0A=
	if [ -n "${natd_interface}" ]; then=0A=
	      ${fwcmd} add 50 divert natd all from any to any via =
${natd_interface}=0A=
	fi=0A=
	;;=0A=
esac=0A=
=0A=
############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open.  You can also
# do this as your only action by setting the firewall_type to ``open''.
#
# ${fwcmd} add 65000 pass all from any to any=0A=
=0A=
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0=0A=
${fwcmd} add 200 deny all from any to 127.0.0.0/8=0A=
# If you're using 'options BRIDGE', uncomment the following line to pass =
ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0=0A=
=0A=
# Prototype setups.
#
case ${firewall_type} in=0A=
[Ss][Ii][Mm][Pp][Ll][Ee])=0A=
=0A=
# I deleted open and client, too many conflicts
# so we go directly in to simple
# This is a prototype setup for a simple firewall.  Configure this
# machine as a named server and ntp server, and point all the machines
# on the inside at this machine for those services.
############
=0A=
	# set these to your outside interface network and netmask and ip
	oif=3D"xl0"=0A=
	onet=3D"206.249.222.0"=0A=
	omask=3D"255.255.255.224"=0A=
	oip=3D"206.249.222.226"=0A=
=0A=
	# set these to your inside interface network and netmask and ip
	iif=3D"xl1"=0A=
	inet=3D"192.168.1.0"=0A=
	imask=3D"255.255.255.224"=0A=
	iip=3D"192.168.1.225"=0A=
=0A=
	#dns servers
	#dns1=3D"204.90.111.2"=0A=
	#dns2=3D"205.137.48.5"=0A=
=0A=
	# Stop spoofing
	${fwcmd} add 300 deny all from ${inet}:${imask} to any in via ${oif}=0A=
	${fwcmd} add 400 deny all from ${onet}:${omask} to any in via ${iif}=0A=
=0A=
	# Stop RFC1918 nets on the outside interface
	${fwcmd} add 500 deny all from 10.0.0.0/8 to any via ${oif}=0A=
	${fwcmd} add 600 deny all from any to 10.0.0.0/8 out via ${oif}=0A=
	${fwcmd} add 700 deny all from 172.16.0.0/12 to any via ${oif}=0A=
	${fwcmd} add 800 deny all from any to 172.16.0.0/12 out via ${oif}=0A=
	${fwcmd} add 900 deny all from 192.168.0.0/16 to any via ${oif}=0A=
	${fwcmd} add 1000 deny all from any to 192.168.0.0/16 out via ${oif}=0A=
	=0A=
	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,=0A=
	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)=0A=
	# on the outside interface=0A=
	${fwcmd} add 1100 deny all from 0.0.0.0/8 to any via ${oif}=0A=
	${fwcmd} add 1200 deny all from any to 0.0.0.0/8 via ${oif}=0A=
	${fwcmd} add 1300 deny all from 169.254.0.0/16 to any via ${oif}=0A=
	${fwcmd} add 1400 deny all from any to 169.254.0.0/16 via ${oif}=0A=
	${fwcmd} add 1500 deny all from 192.0.2.0/24 to any via ${oif}=0A=
	${fwcmd} add 1600 deny all from any to 192.0.2.0/24 via ${oif}=0A=
	${fwcmd} add 1700 deny all from 224.0.0.0/4 to any via ${oif}=0A=
	${fwcmd} add 1800 deny all from any to 224.0.0.0/4 via ${oif}=0A=
	${fwcmd} add 1900 deny all from 240.0.0.0/4 to any via ${oif}=0A=
	${fwcmd} add 2000 deny all from any to 240.0.0.0/4 via ${oif}=0A=
=0A=
	# Allow TCP through if setup succeeded
	${fwcmd} add 2100 pass tcp from any to any established=0A=
=0A=
	# Allow IP fragments to pass through
	${fwcmd} add 2200 pass all from any to any frag=0A=
=0A=
# TCP STUFF
=0A=
	# Allow access to sendmail for incoming email=0A=
	${fwcmd} add 2300 pass tcp from any to ${oip} 25 setup=0A=
=0A=
	# Allow access to our WWW=0A=
	${fwcmd} add 2400 pass tcp from any to ${oip} 80 setup=0A=
=0A=
	#SSH login - allow and log all incoming=0A=
	${fwcmd} add 2500 pass log tcp from any to any 22 in via ${oip} setup=0A=
=0A=
	#IDENT - reset incoming connections =0A=
	${fwcmd} add 2600 reset tcp from any to any 113 in via ${oif} setup=0A=
=0A=
	# Reject&Log all setup of incoming connections from the outside=0A=
	${fwcmd} add 2700 deny log tcp from any to any in via ${oif} setup=0A=
=0A=
	# Allow setup of any other TCP connection=0A=
	${fwcmd} add 2800 pass tcp from any to any setup=0A=
=0A=
# UPD STUFF=0A=
=0A=
	# Allow access to our DNS=0A=
	#${fwcmd} add 2900 pass upd from any to ${dns1} 53 setup=0A=
	#${fwcmd} add 3000 pass upd from any to ${dns2} 53 setup=0A=
	#${fwcmd} add 3100 pass udp from ${dns1} 53 to any=0A=
	#${fwcmd} add 3200 pass udp from ${dns2} 53 to any=0A=
	=0A=
	${fwcmd} add 2900 pass udp from any 53 to ${oip}=0A=
	${fwcmd} add 3000 pass udp from ${oip} 53 to any=0A=
	${fwcmd} add 3100 pass tcp from any to ${oip} 53 setup=0A=
=0A=
	# SMB - allow local traffic=0A=
	${fwcmd} add 3300 pass udp from any to any 137-139 via ${iif}=0A=
=0A=
	# Allow NTP queries out in the world BUT we do it like this=0A=
	# allow server-server on outside interface=0A=
	# allow client-server on inside interface=0A=
	${fwcmd} add 3400 pass udp from any 123 to any 123 via ${oif}=0A=
	${fwcmd} add 3500 pass udp from any 123 to any 123 via ${iif}=0A=
	${fwcmd} add 3600 pass udp from any to any 123 via ${iif} =0A=
=0A=
	# TRACEROUTE - allow outgoing but not ingoing=0A=
	${fwcmd} add 3700 pass udp from any to any 33434-33523 out via ${oif}=0A=
=0A=
# ICMP stuff=0A=
=0A=
	#ICMP packets=0A=
	# allow all on internal interface=0A=
	${fwcmd} add 3800 pass icmp from any to any via ${iif}=0A=
=0A=
	#Allow outgoing pings but no incoming=0A=
	${fwcmd} add 3900 pass icmp from any to any icmptypes 8 out via ${oif}=0A=
	${fwcmd} add 4000 pass icmp from any to any icmptypes 0 in via ${oif}=0A=
=0A=
	#Allow destination unreachable, source quench, time excedded=0A=
	#and bad header=0A=
     ${fwcmd} add 4100 pass icmp from any to any icmptypes 3,4,11,12 via =
${oif}=0A=
=0A=
	#deny the rest of them=0A=
	${fwcmd} add 4200 deny icmp from any to any =0A=
=0A=
	# Everything else is denied by default, unless the=0A=
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel=0A=
	# config file. Which it is not=0A=
	;;=0A=
esac=0A=

------=_NextPart_000_0002_01C06458.9A4B4E20
Content-Type: text/plain;
	name="info.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="info.txt"

xl0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500=0A=
	inet 206.249.222.226 netmask 0xffffffe0 broadcast 206.249.222.255=0A=
	inet6 fe80::260:8ff:fe8d:f089%xl0 prefixlen 64 scopeid 0x1 =0A=
	ether 00:60:08:8d:f0:89 =0A=
	media: autoselect (10baseT/UTP) status: active=0A=
	supported media: autoselect 100baseTX <full-duplex> 100baseTX =
10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>=0A=
xl1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500=0A=
	inet 192.168.1.225 netmask 0xffffffe0 broadcast 192.168.1.255=0A=
	inet6 fe80::260:8ff:fe3a:5258%xl1 prefixlen 64 scopeid 0x2 =0A=
	ether 00:60:08:3a:52:58 =0A=
	media: autoselect (none) status: no carrier=0A=
	supported media: autoselect 100baseTX <full-duplex> 100baseTX =
10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>=0A=
lp0: flags=3D8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500=0A=
sl0: flags=3Dc010<POINTOPOINT,LINK2,MULTICAST> mtu 552=0A=
faith0: flags=3D8000<MULTICAST> mtu 1500=0A=
gif0: flags=3D8010<POINTOPOINT,MULTICAST> mtu 1280=0A=
gif1: flags=3D8010<POINTOPOINT,MULTICAST> mtu 1280=0A=
gif2: flags=3D8010<POINTOPOINT,MULTICAST> mtu 1280=0A=
gif3: flags=3D8010<POINTOPOINT,MULTICAST> mtu 1280=0A=
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384=0A=
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa =0A=
	inet6 ::1 prefixlen 128 =0A=
	inet 127.0.0.1 netmask 0xff000000 =0A=
ppp0: flags=3D8010<POINTOPOINT,MULTICAST> mtu 1500=0A=

------=_NextPart_000_0002_01C06458.9A4B4E20--



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000101c06493$46aa2620$fadef9ce>