Date: Fri, 19 Mar 1999 00:32:58 -0500 From: Spamoff <Spambait@tampabay.rr.com> To: freebsd-questions <freebsd-questions@FreeBSD.ORG> Subject: Re: Simple FIREWALL Message-ID: <36F1E189.DB9D7961@tampabay.rr.com> References: <Pine.BSF.4.05.9902182301050.346-100000@stardust.bzzzz.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian.
Please let me know what you found out. This is my new project as well
Regards...Martin
Brian Budnick wrote:
> I am running FreeBSD 3.1-RELEASE on a K6/166 that has 2 ethernet cards in
> it. The ethernet cards are setup as follows:
>
> ed1: ip: 209.90.111.199 netmask: 255.255.255.192
> pn0: ip: 10.0.0.1 netmask: 255.255.255.0
>
> I'm trying to get a simple firewall up to protect several computers on our
> network. I want it so that whenever we access the web from like 10.0.0.2
> it goes thru 10.0.0.1 and then that machine will be the gateway to the
> Internet. I want to be able to have access to Telnet/FTP/WWW/IRC from
> the 10.0.0.2 machines, etc.
>
> I did the following to the server 209.90.111.199 to get it to work:
>
> /etc/defaults/rc.conf (looks as follows):
>
> <snip>
>
> ### Network routing options: ###
> defaultrouter="NO" # Set to default gateway (or NO).
> static_routes="" # Set to static route list (or leaveempty).
> gateway_enable="YES" # Set to YES if this host will be agateway.
> router_enable="NO" # Set to YES to enable a routing daemon.
> router="routed" # Name of routing daemon to use ifenabled.
> router_flags="-q" # Flags for routing daemon.
> mrouted_enable="NO" # Do multicast routing (see/etc/mrouted.conf).
> mrouted_flags="" # Flags for multicast routing daemon.
> ipxgateway_enable="NO" # Set to YES to enable IPX routing.
> ipxrouted_enable="NO" # Set to YES to run the IPX routingdaemon.
> ipxrouted_flags="" # Flags for IPX routing daemon.
> arpproxy_all="" # replaces obsolete kernel optionARP_PROXYALL.
> forward_sourceroute="NO" # do source routing (only ifgateway_enable is set to "YES")
> accept_sourceroute="NO" # accept source routed packets to us
>
> <snip>
>
> hostname="myname.my.domain" # Set this!
> nisdomainname="NO" # Set to NIS domain if using NIS (or NO).
> firewall_enable="YES" # Set to YES to enable firewall functionality
> firewall_type="simple" # Firewall type (see /etc/rc.firewall)
> firewall_quiet="NO" # Set to YES to suppress rule display
> natd_enable="NO" # Enable natd (if firewall_enable == YES).
> natd_interface="fxp0" # Public interface to use with natd.
> natd_flags="" # Additional flags for natd.
> tcp_extensions="NO" # Disallow RFC1323 extensions (or YES).
> network_interfaces="lo0" # List of network interfaces (lo0 is loopback).
> ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
>
> ---
>
> in my /etc/rc.firewall (under the simple section my configuration reads):
>
> # set these to your outside interface network and netmask and ip
> oif="ed1"
> onet="209.90.111.199/24"
> omask="255.255.255.192"
> oip="209.90.111.199"
>
> # set these to your inside interface network and netmask and ip
> iif="pn0"
> inet="10.0.0.1/24"
> imask="255.255.255.0"
> iip="10.0.0.1"
>
> # Stop spoofing
> $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
> $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
>
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} out
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
>
> # Allow TCP through if setup succeeded
> # $fwcmd add pass tcp from any to any established
> $fwcmd add pass all from any to any
>
> # allow IDENT for IRC
> $fwcmd add allow tcp from any to ${oif} 113
> $fwcmd add allow udp from any to ${oif} 113
>
> # Allow setup of incoming email
> $fwcmd add pass tcp from any to ${oip} 25 setup
>
> # Allow access to our DNS
> $fwcmd add pass tcp from any to ${oip} 53 setup
>
> # Allow access to our WWW
> $fwcmd add pass tcp from any to ${oip} 80 setup
>
> # Reject&Log all setup of incoming connections from the outside
> #$fwcmd add deny log tcp from any to any in via ${oif} setup
>
> # Allow setup of any other TCP connection
> $fwcmd add pass tcp from any to any setup
>
> # Allow DNS queries out in the world
> $fwcmd add pass udp from any 53 to ${oip}
> $fwcmd add pass udp from ${oip} to any 53
>
> # Allow NTP queries out in the world
> $fwcmd add pass udp from any 123 to ${oip}
> $fwcmd add pass udp from ${oip} to any 123
>
> # Everything else is denied as default.
>
> elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
> $fwcmd ${firewall_type}
> fi
>
> ---
>
> On Bootup when it displays the rulesets it seems to have a problem with
> one of them but i'm not sure which one.
>
> i know this message is kind of long but i'm really wanting to get this to
> work and would appreciate anyones kind help to let me know what's wrong.
>
> ---
>
> i tried to setup a work station as follows:
> ip: 10.0.0.2
> subnetmask: 255.255.255.0
> gateway: 10.0.0.1
>
> i could ping 10.0.0.1, of course i couldn't ping outside our network, but
> I couldn't telnet, i couldn't do web, or irc, or anything...
>
> Please Help!
>
> Thanks.
>
> Brian
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36F1E189.DB9D7961>