Date: Wed, 24 Jul 2002 21:20:13 +0100 From: "robert at castley dot com" <robert@castley.com> To: <freebsd-questions@FreeBSD.ORG> Subject: How to implement Dial-on-Demand with NAT and a secure firewall under FreeBSD 4.5-STABLE Message-ID: <002701c2334f$84164480$1601a8c0@charlie>
next in thread | raw e-mail | index | archive | help
This may be the wrong list but I hope others find this useful and helpful. -------------------------------------- How to implement Dial-on-Demand and a secure firewall under FreeBSD 4.5-STABLE by Robert W. Castley (robert@castley.com) --------------------- I am relatively new to FreeBSD having come from Caldera OpenLinux so a bit of a learning curve started and I thought I would share my findings. I have detailed the steps I took to implement a full Dial-on-Demand Firewall with NAT (IP Masquerading under Linux). 1) Install FreeBSD 4.5-STABLE. I always opt for the minimal install then add packages/ports as I need them. In order to achieve what follows you will not need any additional ports or packages :-). 2) Configure PPP. The three files you need to edit/create are: ppp.conf ppp.linkup ppp.linkdown My ppp.conf looks like this (you should only need to replace telephone no., username and password): default: set log Phase Chat LCP IPCP CCP tun command ident user-ppp VERSION (built COMPILATIONDATE) set device /dev/cuaa0 # The port modem is on set speed 115200 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" set timeout 600 # 10 minute idle timer (the default) isptag: set phone "telephone no." set authname username set authkey password set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0 0.0.0.0 delete ALL add default HISADDR # Add a (sticky) default route My ppp.linkup looks like this (this is for controlling what happens when the link is established): isptag: delete ALL add default HISADDR !bg /usr/local/bin/fetchmail # Fetch my mail !bg /usr/sbin/ntpdate -b www.clock.org # Sync. internal clock My ppp.linkdown looks like this (this is for controlling what happens when the link dies) isptag: iface clear # Clear interface addresses To initiate PPP and place in background with NAT enabled run the following: /usr/sbin/ppp -auto -nat isptag In order for your other computers on your network you must ensure that their default gateway is set to that of the system running the above. Now for the firewall, and for something so complex hopefully the following makes it really simple :-) My method for this involves no recompiling of the kernel. As I am not a fan of this nor competent in it I choose the easy way out. 3) Load the kernel ipfw module, from the command line enter: kldload -v ipfw 4) Enable logging in syslog: sysctl net.inet.ip.fw.verbose=1 5) Create a firewall.sh file. This has been tested using ShieldsUp! from http://www.grc.com and successfully reports Stealth on each port :-) # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Interface connected to your internal network internal=fxp0 # Interface connected to the cable modem external=tun0 # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the external interface. #$fwcmd add divert natd all from any to any via "$external" # Allow all data from my network card and localhost. $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via "$internal" # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit "$external" setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via "$external" established # Everyone on the internet is allowed to connect to the following # services on the machine. Remove # from those you want #$fwcmd add allow tcp from any to any http setup #$fwcmd add allow tcp from any to any ftp setup #$fwcmd add allow tcp from any to any ssh setup #$fwcmd add allow tcp from any to any telnet setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any ident in recv "$external" # Allow outgoing DNS queries $fwcmd add allow udp from any to any domain out xmit "$external" # Allow them back in with the answers... :) $fwcmd add allow udp from any domain to any in recv "$external" # time synchronisation $fwcmd add pass udp from any to any ntp keep-state # dhcp $fwcmd add pass udp from any to any bootpc keep-state $fwcmd add allow udp from any to any bootps out xmit "$external" $fwcmd add allow udp from any bootps to any in recv "$external" # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add allow icmp from any to any # Deny and log setups from outside, just deny the rest of the attempt $fwcmd add deny log tcp from any to any in via $external setup $fwcmd add deny tcp from any to any # Deny and log non tcp from outside $fwcmd add deny log ip from any to any in via $external # Deny all the rest. $fwcmd add 65435 deny log ip from any to any To activate this just type from the command line: sh firewall.sh 6) To monitor what is happening when you are connected to the internet just do the following: tail -f /var/log/security My /var/log/security file currently looks like: Jul 24 00:41:33 gw /kernel: ipfw: 1400 Deny TCP 68.62.96.222:1175 62.6.90.150:80 in via tun0 Jul 24 00:41:44 gw /kernel: ipfw: 1400 Deny TCP 172.167.2.194:1618 62.6.90.150:8 0 in via tun0 Jul 24 00:41:46 gw /kernel: ipfw: 1400 Deny TCP 208.162.127.248:2768 62.6.90.150 :80 in via tun0 Jul 24 00:41:46 gw /kernel: ipfw: 1400 Deny TCP 12.229.194.222:2831 62.6.90.150: 80 in via tun0 Jul 24 00:41:47 gw /kernel: ipfw: 1400 Deny TCP 172.167.2.194:1618 62.6.90.150:8 0 in via tun0 Jul 24 00:41:49 gw /kernel: ipfw: 1400 Deny TCP 208.162.127.248:2768 62.6.90.150 :80 in via tun0 Jul 24 00:41:49 gw /kernel: ipfw: 1400 Deny TCP 12.229.194.222:2831 62.6.90.150: 80 in via tun0 Jul 24 00:41:53 gw /kernel: ipfw: 1400 Deny TCP 172.167.2.194:1618 62.6.90.150:8 0 in via tun0 As you can see the setup is successfully blocking request into port 80 on my machine :-) --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.377 / Virus Database: 211 - Release Date: 15/07/2002 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002701c2334f$84164480$1601a8c0>