Date: Sat, 6 Sep 2003 16:53:14 -0400 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "snake" <snake@voliacable.com>, <freebsd-questions@freebsd.org> Subject: RE: Error with daemon natd Message-ID: <MIEPLLIBMLEEABPDBIEGCEBFEFAA.fbsd_user@a1poweruser.com> In-Reply-To: <1921704781.20030906223307@voliacable.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You have done everything right as far as the gateway goes. The
problem is the win boxes on the LAN do not know the DNS server of
your ISP. You have to configure the win box  start/control
panel/network and hard code the ip address of your isp DSN server
and the 10.0.0.2 as the gateway.  If you are going to have a lot of
win boxes on your lan then you would want to install DHCP server on
your gateway box so all your lan win boxes can get the info they
need to access the public internet through your gateway.
For your info the firewall_type="open" is not really providing any
protection at all. It lets everything in and out. You need to create
your own set of ipfw firewall rules which you design to protect your
environment.
Here is mine for you to use as sample
####################################################################
#######
#
# Define IPFW firewall rules for gateway.xxxxxx.com
# 5/25/2002
#
#   Cable modem connection to ISP with dynamic IP addresses
assigned.
#   User ppp tun1 dial in to this box with dynamic IP addresses
assigned
#   User ppp tun2 dial in to this box with dynamic IP addresses
assigned
#   IPFW divert natd command used for nat. Private Ip address used
inside.
#   3 win98 boxes on LAN with static IP address hard coded.
#   Protect the whole private network from loss of service attacks
#   These rules can be reloaded with out rebooting by issuing this
command
#   sh /etc/ipfw.rules.conf
#
#   The use of 'me' in rules means IP address 127.0.0.0 localhost
#
# Firewall Policy Statement.
#   All packet traffic originating behind this firewall not
requiring access
#   to the public internet is exempt from these firewall rules.
#
#   Each public internet function must be explicitly allowed by a
rule.
#   Only valid response to the packets I've sent out are allowed in.
#   All packets must use the IPFW advanced "dynamic" rules function.
#   No state-less rules or simple-stateful rules are allowed to
grant
#   internet function.
####################################################################
#########
# Flush out the list before we begin.
/sbin/ipfw -q -f flush
# Set rules command prefix
# The -q option on the command is for quite mode.
# Do not display rules as they load. Remove during development to
see.
cmd="/sbin/ipfw -q add"
# Set defaults
# set these to your outside interface network and netmask and ip
# for dynamic IP address from ISP use there range
oif="rl0"                  # Nic card to cable modem public internet
connection
odns1="24.50.201.66"       # ISP's dns server 1 IP address
odns2="24.52.201.66"       # ISP's dns server 2 IP address
# Set these to your inside interface network and ip address range
iif="xl0"                  # Nic card to private internal Local area
network
iip="10.0.10.2/29"         # Private IP address range on Nic card
                           # /29 means 10.0.10.0 thru 10.0.10.7
                           # 10.0.10.2  Lan Nic card
                           # 10.0.10.7  Lan WindowsME machine1
# This is the start of the rules.
# All traffic coming in from the internet or
# leaving the local LAN start here
# Internal gateway housekeeping
# Rules # 100 exempt everything on localhost behind the firewall
from this rules set.
# Rules # 110 & 120 deny the reference to the localhost default IP
address.
$cmd 00100 allow all from any to any via lo0  # allow all localhost
$cmd 00110 deny log  all from any to 127.0.0.0/8  # deny use of
localhost IP
$cmd 00120 deny log  all from 127.0.0.0/8 to any  # deny use of
localhost IP
# This does the  Network Address translation of every packet comming
in
# or going out over the public internet.
$cmd 00150 divert natd all from any to any via rl0
#*** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY *** TESTING
PURPOSES ONLY
# The following rule if un-commented will change the behavior of
this
# FireWall rule set from closed to completely open, thus bypassing
all of the
# following rules. This single rule is placed here for TESTING
PURPOSES ONLY.
#$cmd 00160 allow log logamount 500 all from any to any
#$cmd 00161 allow all from any to any
########  control section
############################################
# Start of IPFW advanced Stateful Filtering using "dynamic" rules.
# The check-state statement behavior is to match bidirectional
packet traffic
# flow between source and destination using
protocol/IP/port/sequence number.
# The dynamic rule has a limited lifetime which is controlled by a
set of
# sysctl(8) variables. The lifetime is refreshed every time a
matching
# packet is found in the dynamic table.
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
$cmd 00200 check-state
# Run all private Lan packet traffic through the dynamic rules
# table so the IP address are in sync with Natd.
$cmd 00210 allow all from any to any via xl0 keep-state
# Deny all fragments as bogus packets
$cmd 00250 deny all from any to any frag in via $oif
# Deny  ACK packets that did not match the dynamic rule table
$cmd 00260 deny tcp from any to any established in via $oif
########  outbound section
############################################
# Interrogate packets originating from behind the firewall, private
net.
# Upon a rule match, it's keep-state option will create a dynamic
rule.
# Allow out non-secure standard www function
$cmd 00300 allow tcp  from any to any 80  out via $oif setup
keep-state
# Allow out secure www function https over TLS SSL
$cmd 00301 allow tcp  from any to any 443 out via $oif setup
keep-state
# Allow lan winbox access to FBSD Apache13/Frontpage Server
$cmd 00302 allow tcp  from $iip to any 80  out via $oif setup
keep-state
# Allow out access to my ISP's Domain name server.
$cmd 00310 allow tcp  from any to $odns1 53 out via $oif setup
keep-state
$cmd 00311 allow udp  from any to $odns1 53 out via $oif keep-state
$cmd 00315 allow tcp  from any to $odns2 53 out via $oif setup
keep-state
$cmd 00316 allow udp  from any to $odns2 53 out via $oif keep-state
# Allow out send & get email function
$cmd 00330 allow tcp from any to any 25  out via $oif setup
keep-state
$cmd 00331 allow tcp from any to any 110 out via $oif setup
keep-state
# Allow out & in FBSD (make install & CVSUP)  functions
# Basically give user id root  "GOD"  privileges.
$cmd 00340 allow tcp from me to any out via $oif setup keep-state
uid root
#$cmd 00341 allow tcp from any to me in  via $oif setup keep-state
uid root
# Allow out & in console traceroot command
$cmd 00342 allow udp from me to any 33435-33500 out via $oif
keep-state
$cmd 00343 allow log icmp from any to me icmptype 3,11 in via $oif
limit src-addr 2
# Allow out ping
$cmd 00350 allow icmp from any to any   out via $oif keep-state
############ non-passive FTP rules for LAN PC FTP to public Internet
######
#These keep-state rules do not work with divert natd so they have
been disabled
# Allow non-pasive FTP out control channel 21 & in of data channel
20
#$cmd 00370 allow log tcp  from any to any 21  out via $oif setup
keep-state
#$cmd 00371 allow log tcp  from any to any 20  out via $oif setup
keep-state
# Allow non-passive FTP in data channel to Lan ip range
#$cmd 00372 allow log tcp from any 20 to $iip 1024-49151 in via $oif
setup keep-s
#$cmd 00373 allow log tcp from any 20 to $iip2 1024-49151 in via
$oif setup keep-
############ End of non-passive FTP rules for LAN PC FTP to public
Internet ####
############ passive FTP rules for LAN PC FTP to public Internet
works ######
# Allow passive FTP control channel 21 & data high ports
$cmd 00375 allow tcp  from me to any 21  out via $oif setup
keep-state
$cmd 00376 allow tcp  from me to any 10000-65000  out via $oif setup
keep-state
############ End of passive FTP rules for LAN PC FTP to public
Internet ######
# Allow out ssh
#$cmd 00380 allow tcp  from any to any 22   out via $oif setup
keep-state
# Allow out TELNET
$cmd 00390 allow tcp  from any to any 23    out via $oif setup
keep-state
# Allow out Network Time Protocol (NTP) queries
#$cmd 00394 allow tcp  from any to any 123   out via $oif setup
keep-state
#$cmd 00395 allow udp  from any to any 123   out via $oif keep-state
# Allow out Time
$cmd 00396 allow tcp  from any to any 37    out via $oif setup
keep-state
$cmd 00397 allow udp  from any to any 37    out via $oif keep-state
# Allow out ident
#$cmd 00400 allow tcp  from any to any 113   out via $oif setup
keep-state
#$cmd 00401 allow udp  from any to any 113   out via $oif keep-state
# Allow out IRC
#$cmd 00410 allow tcp  from any to any 194   out via $oif setup
keep-state
#$cmd 00411 allow udp  from any to any 194   out via $oif keep-state
# Allow out whois
$cmd 00412 allow tcp  from any to any 43    out via $oif setup
keep-state
$cmd 00413 allow udp  from any to any 43    out via $oif keep-state
# Allow out whois++
#$cmd 00415 allow tcp  from any to any 63    out via $oif setup
keep-state
#$cmd 00416 allow udp  from any to any 63    out via $oif keep-state
# Allow out finger
#$cmd 00420 allow tcp  from any to any 79    out via $oif setup
keep-state
#$cmd 00421 allow udp  from any to any 79    out via $oif keep-state
# Allow out nntp news
$cmd 00425 allow tcp  from any to any 119   out via $oif setup
keep-state
$cmd 00426 allow udp  from any to any 119   out via $oif keep-state
# Allow out gopher
#$cmd 00430 allow tcp  from any to any 70    out via $oif setup
keep-state
#$cmd 00431 allow udp  from any to any 70    out via $oif keep-state
# Allow out pcANYwhere software product
# Can Only call out can not receive incomming calls because of
private
# IP address on Lan.
#$cmd 00440 allow  udp from $iip to any 22,5632 out via $oif
keep-state
#$cmd 00441 allow  tcp from $iip to any 5631 out via $oif setup
keep-state
########  inbound section
############################################
# Interrogate packets originating from in front of the firewall,
public net.
# Place statments here to allow public requests for service.
# The ${oip} holds the dynamic ip address range that both this FBSD
box and
# the standalong pc I use for testing logs into, so the result is
only I can
# gain public access from the internet to these functions.
# Allow in www
#$cmd 00600 allow tcp from $oip to any 80 in via $oif setup
keep-state limit src-addr 4
$cmd 00601 allow log tcp from any to any 80 in via $oif
# Allow  TCP FTP control channel in & data channel out
$cmd 00610 allow tcp from $oip to me 21  in via $oif setup
keep-state limit src-addr 4
$cmd 00611 allow tcp from $oip 20 to any 1024-49151 out via $oif
setup keep limit src-addr 4
# Allow in ssh function
#$cmd 00620 allow log tcp from $oip to me 22 in via $oif setup
keep-state limit src-addr 4
# Allow in Telnet
$cmd 00630 allow tcp from $oip to me 23 in via $oif setup keep-state
limit src-addr 4
# Allow in Ping from me
$cmd 00635 allow log icmp from $oip to me icmptype 0,8  in via $oif
# This sends a RESET to all ident packets.
#$cmd 00640 reset log tcp from any to me 113  in via $oif limit
src-addr 4
########  catch all section
############################################
#### Start Special rules for Adelphia Cable
#########################
#valid dhcp broadcast from adelphia dhcp server
$cmd 00700 allow UDP from 0.0.0.0 68 to 255.255.255.255 67 in via
rl0
# valid FBSD dhcp clinet request for dns config info
$cmd 00701 allow udp from me 68 to $odns1 67      out via rl0
$cmd 00702 allow udp from $odns1 67 to me 68       in via rl0
# invalid bogus packets on Adelphia Cable network.
$cmd 00705 deny udp from any to 255.255.255.255    in via rl0
$cmd 00706 deny udp from 0.0.0.0 to any            in via rl0
#               P:2
$cmd 00707 deny all  from 192.168.100.1 to 224.0.0.1   in via rl0
$cmd 00708 deny udp from $odns1 53 to me           in via rl0
#### End Special rules for Adelphia Cable  #########################
# Stop & log external redirect requests.
$cmd 00720 deny log icmp from any to any icmptype 5  in via $oif
# Stop & log spoofing Attack attempts.
# Examine incoming traffic for packets with both a source and
destination
# IP address in my local domain as per CIAC prevention alert.
$cmd 00730 deny log ip from me to me  in via $oif
# Stop & log ping echo attacks
# stop echo reply (ICMP type 0), and echo request (type 8).
#$cmd 00740 deny log icmp from any to me icmptype 0,8  in via $oif
# Reject & Log all setup of tcp incoming connections from the
outside
$cmd 00750 deny log tcp from any to any  setup  in via $oif
# Reject & Log all netbios service. 137=name, 138=datagram,
139=session
# netbios is ms/windows sharing services.
$cmd 00760 deny log tcp from any to any 137,138,139  in via $oif
$cmd 00761 deny log udp from any to any 137,138,139  in via $oif
# Reject all port 80 http packets that fall throught to here.
# These packets are auto spawn web page requests from within
# orginal web page request.
#$cmd 00770 deny  tcp from any to any 80   out via $oif
#delta force game (working for 1 lan station)
$cmd 00924 allow udp from any to any 7664,3568,3569,3875 out via
$oif
$cmd 00925 allow udp from any to any 3568,3569      in  via $oif
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00950 deny log logamount 500 all from any to any
-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of snake
Sent: Saturday, September 06, 2003 3:33 PM
To: freebsd-questions@freebsd.org
Subject: Error with daemon natd
Hello
I am running FreeBSD 4.8 RELEASE
My cpu AMD 486 dx4-100, motherboard chip set is SIS. I have 16 mb
ram, 2
ethernet cards RTL 1839.
I want to make this FreeBSD system to be internet gateway.
rl1 is the interface connected to the Internet
rl0 is the interface connected to my private network.
I have rebuild kernel with that 2 lines (I have read about it in the
handbook)
options IPFIREWALL
options IPDIVERT
Alsow I have added that strings it to /etc/rc.conf
ifconfig_rl1="DHCP"
ifconfig_rl0="10.0.0.1"
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl1"
firewall_enable="YES"
firewall_type="open"
With that configurations internet connections present (I means that
my
provider has DHCP server and my client worked property).
My client machine is running under Windows 98. It's IP adress is
10.0.0.2. Gateway, i have added there, is 10.0.0.1.
But there are no internet connections on my client machine. Help me,
please.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGCEBFEFAA.fbsd_user>
