Date: Thu, 17 May 2001 18:05:26 +0300 From: Seorge <seorge@rostokgroup.com> To: freebsd-security@FreeBSD.ORG Subject: Cofiguring ports in firewall... A problem Message-ID: <8130809667.20010517180526@myhost.com>
next in thread | raw e-mail | index | archive | help
The System is FreeBSD 4.3
There is an internal network of the type: 192.168.1.0 with its own DNS
There is an external IP with its own DNS
natd is started
ipfrw is started
The question is how to let users from local network via all protocols
(http, ftp, mail, etc) while closing all ports excepting several ones
from external access (20, 21, 22, 53, 80, 110).
Now it is made as follows:
(the kernel closes all ports as default, rl0 - external interface, rl1
- internal)
If I put a comment on the rule 2000 and take the comment off the
second 2000 and the rule No 4000 in rc.firewall, it does not work at
all.
How to solve this problem? What should I configure and how to get it
working?
//rc.conf
#############################################################
network_interfaces="lo0 rl0 rl1"
ifconfig_lo0="inet 127.0.0.1"
ifconfig_rl0="inet 212.212.212.5 netmask 255.255.255.240"
ifconfig_rl1="inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255"
hostname="name.domain.net"
named_enable="YES"
gateway_enable="YES"
defaultrouter="212.212.212.1"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="EE"
firewall_quiet="NO"
natd_program="/sbin/natd"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
tcp_extensions="NO"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
##########################################################
//natd.conf
##########################################################
log no
deny_incoming no
same_ports yes
use_sockets yes
verbose no
port natd
unregistered_only yes
##########################################################
//rc.firewall
##########################################################
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
fi
;;
esac
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
case ${firewall_type} in
[Ee][Ee])
${fwcmd} add 400 pass udp from any to any 33434-33523
${fwcmd} add 500 deny ICMP from any to any frag
${fwcmd} add 600 pass ICMP from any to any
${fwcmd} add 700 pass tcp from any to any
20,21,25,53,80,110,119,443,3128
${fwcmd} add 800 pass tcp from any 20,21,25,53,80,110,119,443,3128 to
any
${fwcmd} add 1000 pass all from any to any via rl1
${fwcmd} add 1100 allow all from any to any via rl1
${fwcmd} add 2000 pass all from any to any via rl0
#${fwcmd} add 2000 pass all from any
20,21,22,25,53,80,110,119,443,3128,8668 to any via rl0
#${fwcmd} add 4000 pass all from any to any
20,21,22,25,53,80,110,119,443,3128,8668 via rl0
;;
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
;;
*)
if [ -r "${firewall_type}" ]; then
${fwcmd} ${firewall_flags} ${firewall_type}
fi
;;
esac
##########################################################
Looking forward to hearing from you soon,
Best regards,
Seorge mailto:seorge@rostokgroup.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8130809667.20010517180526>