From owner-freebsd-security Thu May 17 8: 4:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from alcatraz.iptelecom.net.ua (alcatraz.iptelecom.net.ua [212.9.224.15]) by hub.freebsd.org (Postfix) with ESMTP id 195DC37B422 for ; Thu, 17 May 2001 08:03:57 -0700 (PDT) (envelope-from seorge@rostokgroup.com) Received: from dialup7-45.iptelecom.net.ua (dialup7-45.iptelecom.net.ua [212.9.227.173]) by alcatraz.iptelecom.net.ua (8.9.3/8.9.3) with ESMTP id SAA46020 for ; Thu, 17 May 2001 18:03:39 +0300 (EEST) (envelope-from seorge@rostokgroup.com) Date: Thu, 17 May 2001 18:05:26 +0300 From: Seorge X-Mailer: The Bat! (v1.44) Reply-To: Seorge X-Priority: 3 (Normal) Message-ID: <8130809667.20010517180526@myhost.com> To: freebsd-security@FreeBSD.ORG Subject: Cofiguring ports in firewall... A problem Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The System is FreeBSD 4.3 There is an internal network of the type: 192.168.1.0 with its own DNS There is an external IP with its own DNS natd is started ipfrw is started The question is how to let users from local network via all protocols (http, ftp, mail, etc) while closing all ports excepting several ones from external access (20, 21, 22, 53, 80, 110). Now it is made as follows: (the kernel closes all ports as default, rl0 - external interface, rl1 - internal) If I put a comment on the rule 2000 and take the comment off the second 2000 and the rule No 4000 in rc.firewall, it does not work at all. How to solve this problem? What should I configure and how to get it working? //rc.conf ############################################################# network_interfaces="lo0 rl0 rl1" ifconfig_lo0="inet 127.0.0.1" ifconfig_rl0="inet 212.212.212.5 netmask 255.255.255.240" ifconfig_rl1="inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255" hostname="name.domain.net" named_enable="YES" gateway_enable="YES" defaultrouter="212.212.212.1" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="EE" firewall_quiet="NO" natd_program="/sbin/natd" natd_enable="YES" natd_interface="rl0" natd_flags="-f /etc/natd.conf" tcp_extensions="NO" tcp_drop_synfin="YES" icmp_drop_redirect="YES" icmp_log_redirect="YES" ########################################################## //natd.conf ########################################################## log no deny_incoming no same_ports yes use_sockets yes verbose no port natd unregistered_only yes ########################################################## //rc.firewall ########################################################## case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} fi ;; esac ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 case ${firewall_type} in [Ee][Ee]) ${fwcmd} add 400 pass udp from any to any 33434-33523 ${fwcmd} add 500 deny ICMP from any to any frag ${fwcmd} add 600 pass ICMP from any to any ${fwcmd} add 700 pass tcp from any to any 20,21,25,53,80,110,119,443,3128 ${fwcmd} add 800 pass tcp from any 20,21,25,53,80,110,119,443,3128 to any ${fwcmd} add 1000 pass all from any to any via rl1 ${fwcmd} add 1100 allow all from any to any via rl1 ${fwcmd} add 2000 pass all from any to any via rl0 #${fwcmd} add 2000 pass all from any 20,21,22,25,53,80,110,119,443,3128,8668 to any via rl0 #${fwcmd} add 4000 pass all from any to any 20,21,22,25,53,80,110,119,443,3128,8668 via rl0 ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) if [ -r "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; esac ########################################################## Looking forward to hearing from you soon, Best regards, Seorge mailto:seorge@rostokgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message