Date: Wed, 24 Jul 2002 21:20:13 +0100 From: "robert at castley dot com" <robert@castley.com> To: <freebsd-questions@FreeBSD.ORG> Subject: How to implement Dial-on-Demand with NAT and a secure firewall under FreeBSD 4.5-STABLE Message-ID: <002701c2334f$84164480$1601a8c0@charlie>
next in thread | raw e-mail | index | archive | help
This may be the wrong list but I hope others find this useful and helpful.
--------------------------------------
How to implement Dial-on-Demand and a secure firewall under FreeBSD
4.5-STABLE
by Robert W. Castley (robert@castley.com)
---------------------
I am relatively new to FreeBSD having come from Caldera OpenLinux so a bit
of
a learning curve started and I thought I would share my findings.
I have detailed the steps I took to implement a full Dial-on-Demand Firewall
with NAT (IP Masquerading under Linux).
1) Install FreeBSD 4.5-STABLE. I always opt for the minimal install then
add packages/ports as I need them. In order to achieve what follows you
will
not need any additional ports or packages :-).
2) Configure PPP. The three files you need to edit/create are:
ppp.conf
ppp.linkup
ppp.linkdown
My ppp.conf looks like this (you should only need to replace telephone no.,
username and password):
default:
set log Phase Chat LCP IPCP CCP tun command
ident user-ppp VERSION (built COMPILATIONDATE)
set device /dev/cuaa0 # The port modem is on
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
\"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
set timeout 600 # 10 minute idle timer (the default)
isptag:
set phone "telephone no."
set authname username
set authkey password
set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0 0.0.0.0
delete ALL
add default HISADDR # Add a (sticky) default route
My ppp.linkup looks like this (this is for controlling what happens when the
link is established):
isptag:
delete ALL
add default HISADDR
!bg /usr/local/bin/fetchmail # Fetch my mail
!bg /usr/sbin/ntpdate -b www.clock.org # Sync. internal clock
My ppp.linkdown looks like this (this is for controlling what happens when
the
link dies)
isptag:
iface clear # Clear interface addresses
To initiate PPP and place in background with NAT enabled run the following:
/usr/sbin/ppp -auto -nat isptag
In order for your other computers on your network you must ensure that their
default gateway is set to that of the system running the above.
Now for the firewall, and for something so complex hopefully the following
makes it really simple :-)
My method for this involves no recompiling of the kernel. As I am not a
fan of this nor competent in it I choose the easy way out.
3) Load the kernel ipfw module, from the command line enter:
kldload -v ipfw
4) Enable logging in syslog:
sysctl net.inet.ip.fw.verbose=1
5) Create a firewall.sh file. This has been tested using ShieldsUp! from
http://www.grc.com and successfully reports Stealth on each port :-)
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
# Interface connected to your internal network
internal=fxp0
# Interface connected to the cable modem
external=tun0
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
# Divert all packets through the external interface.
#$fwcmd add divert natd all from any to any via "$external"
# Allow all data from my network card and localhost.
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via "$internal"
# Allow all connections that I initiate.
$fwcmd add allow tcp from any to any out xmit "$external" setup
# Once connections are made, allow them to stay open.
$fwcmd add allow tcp from any to any via "$external" established
# Everyone on the internet is allowed to connect to the following
# services on the machine. Remove # from those you want
#$fwcmd add allow tcp from any to any http setup
#$fwcmd add allow tcp from any to any ftp setup
#$fwcmd add allow tcp from any to any ssh setup
#$fwcmd add allow tcp from any to any telnet setup
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to any ident in recv "$external"
# Allow outgoing DNS queries
$fwcmd add allow udp from any to any domain out xmit "$external"
# Allow them back in with the answers... :)
$fwcmd add allow udp from any domain to any in recv "$external"
# time synchronisation
$fwcmd add pass udp from any to any ntp keep-state
# dhcp
$fwcmd add pass udp from any to any bootpc keep-state
$fwcmd add allow udp from any to any bootps out xmit "$external"
$fwcmd add allow udp from any bootps to any in recv "$external"
# Allow ICMP (for ping and traceroute to work). You may wish to
# disallow this, but I feel it suits my needs to keep them in.
$fwcmd add allow icmp from any to any
# Deny and log setups from outside, just deny the rest of the attempt
$fwcmd add deny log tcp from any to any in via $external setup
$fwcmd add deny tcp from any to any
# Deny and log non tcp from outside
$fwcmd add deny log ip from any to any in via $external
# Deny all the rest.
$fwcmd add 65435 deny log ip from any to any
To activate this just type from the command line:
sh firewall.sh
6) To monitor what is happening when you are connected to the internet just
do the following:
tail -f /var/log/security
My /var/log/security file currently looks like:
Jul 24 00:41:33 gw /kernel: ipfw: 1400 Deny TCP 68.62.96.222:1175
62.6.90.150:80
in via tun0
Jul 24 00:41:44 gw /kernel: ipfw: 1400 Deny TCP 172.167.2.194:1618
62.6.90.150:8
0 in via tun0
Jul 24 00:41:46 gw /kernel: ipfw: 1400 Deny TCP 208.162.127.248:2768
62.6.90.150
:80 in via tun0
Jul 24 00:41:46 gw /kernel: ipfw: 1400 Deny TCP 12.229.194.222:2831
62.6.90.150:
80 in via tun0
Jul 24 00:41:47 gw /kernel: ipfw: 1400 Deny TCP 172.167.2.194:1618
62.6.90.150:8
0 in via tun0
Jul 24 00:41:49 gw /kernel: ipfw: 1400 Deny TCP 208.162.127.248:2768
62.6.90.150
:80 in via tun0
Jul 24 00:41:49 gw /kernel: ipfw: 1400 Deny TCP 12.229.194.222:2831
62.6.90.150:
80 in via tun0
Jul 24 00:41:53 gw /kernel: ipfw: 1400 Deny TCP 172.167.2.194:1618
62.6.90.150:8
0 in via tun0
As you can see the setup is successfully blocking request into port 80 on my
machine :-)
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.377 / Virus Database: 211 - Release Date: 15/07/2002
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002701c2334f$84164480$1601a8c0>