Date: Thu, 4 Oct 2001 13:52:35 +0100 From: "Daniel Fairs" <daniel.fairs@spiderplant.net> To: "Patrick O'Reilly" <patrick@mip.co.za>, "FreeBSD Question List" <freebsd-questions@freebsd.org>, <daniel.fairs@spiderplant.net> Subject: RE: Firewalling again Message-ID: <NKEPKAINDOAHFAIDHBHAIELNCFAA.daniel.fairs@spiderplant.net> In-Reply-To: <NDBBIMKICMDGDMNOOCAIAEOGDJAA.patrick@mip.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Patrick, Yes. I've taken a step back and realised the config is a bit all over the place. I have been hindered a bit by the innaccurate documentation of my predecessor, which led to me being one IP 'out' on everything. Oooops. It transpires that we in fact have allocated to us the 8 IPs 213.2.28.63 to 213.2.28.70 inclusive - on one subnet. So that's expressed as 213.2.28.63/29, yes? (This whole thing is not helped by the fact that I'm only just getting to grips with CIDR notation ;). That gives 213.2.28.63 as the subnet IP and 213.2.28.70 as the net broadcast address. (Guess I'd better move the firewall off of .70 then.) I guess, then, that I need to talk to my ISP about splitting the /29 into two /30s? Then I'd have: .63 - subnet 1 IP .64 - Firewall external IP .65 - DSL Router IP .66 - subnet 1 broadcast .67 - subnet 2 IP .68 - Mailserver IP .69 - unused .70 - subnet 2 broadcast Does that make sense? Or am I getting the wrong end of the stick? Something I find a little concerning in my predecessor's docs is that our ISP seems to have taken one of our IPs (currently .64) for 'internal use'. Is this normal? Or do they just have a weird system? T very much IA! Cheers, Dan > -----Original Message----- > From: Patrick O'Reilly [mailto:patrick@mip.co.za] > Sent: 04 October 2001 12:31 > To: FreeBSD Question List; daniel.fairs@spiderplant.net > Subject: RE: Firewalling again > > > Daniel, > > Before we even touch the firewall rules, it looks like your > subnets are all > mixed up. That will stop things from working! > > You mention 213.2.28.70/29 on xl2. That means the network runs > from .64 to > .71. Then you say you have 213.2.28.69/30 on xl1. That > indicates a network > from .68 to .71. These overlap - BAD! Also, your mailserver, if it is > configured as you say (213.2.28.68/30) is on an invalid IP, as > .68 is the ip > of the subnet - it is not valid for a host. > > If you give me your subnets allocated by your ISP, I'll send info > about how > to set the interfaces in rc.conf. Your ISP should have given you a subnet > for the DMZ (probably the /29 you mentioned), and you should have another > subnet (a /30) for the DSL connection. > > Patrick. > > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of > daniel.fairs@spiderplant.net > Sent: 04 October 2001 10:21 > To: freebsd-questions@FreeBSD.ORG > Subject: Firewalling again > > > > Hi All, > > Apologies if this message appears twice, but my normal SMTP server appears > to have died. Right... > > Hi, > > I have a firewall box with three NICs, xl0 (internal), xl1 (DMZ - public > servers), and xl2 (DSL connection). I only added the single machine (the > mailserver) in the DMZ today - the public and private interfaces have > worked and continue to work happily. However, I am having trouble > formulating rules for the machine on the DMZ. > > The network configuration is such that I have a 192.168.0.0/24 on xl0, > 213.2.28.70/29 on xl2 (defaultrouter is 213.2.28.65, the DSL box) and > 213.2.28.69/30 on xl1. The mailserver has IP 213.2.28.68/30. > > Here's my current attempt (the lines before rule 500 are those I've added) > > thor# ipfw s > 00010 0 0 allow tcp from any to 213.2.28.68 25 setup > 00020 0 0 allow tcp from 213.2.28.68 to any setup > 00030 0 0 allow tcp from any to any via xl1 established > 00040 79 6636 allow icmp from any to any via xl1 > 00500 19302090 11240110875 divert 8668 ip from any to any via xl2 > 00600 0 0 check-state > 00700 135 42478 deny log logamount 100 ip from > 10.0.0.0/8 to any > in recv xl2 > 00800 52 17671 deny log logamount 100 ip from 172.16.0.0/12 to > any in recv xl2 > 00810 148 72141 deny log logamount 100 ip from > 192.168.0.0/16 to > any in recv xl2 > 01100 14534 1261038 allow icmp from any to any > 01500 354781 54370955 allow udp from any to any keep-state via xl0 > 01550 37298975 22388737248 allow tcp from any to any established > 01800 474155 23294472 allow tcp from 213.2.28.64/29 to any setup > 01900 95864 7130172 allow udp from 213.2.28.64/29 to any keep-state > 02000 472803 23236256 allow tcp from any to any via xl0 setup > 65535 10191 919453 deny ip from any to any > > Now, when I do a ping from the mailserver to the DMZ NIC on the firewall > while running tcpdump on xl1 on the firewall, I see: > > thor# tcpdump -n -i xl1 > tcpdump: listening on xl1 > 17:59:30.661254 213.2.28.68 > 213.2.28.69: icmp: echo request > 17:59:31.671257 213.2.28.68 > 213.2.28.69: icmp: echo request > 17:59:32.681251 213.2.28.68 > 213.2.28.69: icmp: echo request > 17:59:33.691274 213.2.28.68 > 213.2.28.69: icmp: echo request > ^C > 5 packets received by filter > 0 packets dropped by kernel > > ... and of course, no replies. > > Why is the firewall not replying? Surely rule 40 should permit it to? I > take it that everything relating to the DMZ *does* have to live before the > line that feeds things into NAT... > > (btw, this is a prelimiary config - I know there are several things that > need tightening up.) > > Any thoughts? > Cheers, > Dan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NKEPKAINDOAHFAIDHBHAIELNCFAA.daniel.fairs>