From owner-freebsd-questions@FreeBSD.ORG Sat Jul 31 18:14:00 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3D2816A4CE for ; Sat, 31 Jul 2004 18:14:00 +0000 (GMT) Received: from mta10.adelphia.net (mta10.adelphia.net [68.168.78.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58AEB43D5E for ; Sat, 31 Jul 2004 18:14:00 +0000 (GMT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta10.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040731181358.SEJC6319.mta10.adelphia.net@barbish>; Sat, 31 Jul 2004 14:13:58 -0400 From: "JJB" To: "Steve Bertrand" , "James A. Coulter" Date: Sat, 31 Jul 2004 14:13:55 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <10697.64.39.177.47.1091296978.squirrel@64.39.177.47> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal cc: freebsd-questions@freebsd.org Subject: RE: Firewall Rule Set not allowing access to DNS servers? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2004 18:14:01 -0000 Rule numbers have to be hard coded in this ipfw rule set because of the skipto rule. How else can you identify the skipto target rule if you allow ipfw to auto assign rule numbers. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Steve Bertrand Sent: Saturday, July 31, 2004 2:03 PM To: James A. Coulter Cc: barbish3@adelphia.net; freebsd-questions@freebsd.org Subject: RE: Firewall Rule Set not allowing access to DNS servers? > My LAN is configured with static IP addresses, 192.168.1.x. > > I have no problems communicating within the LAN. > > I have full connectivity with the internet from every machine on my > LAN when > the firewall is open. > > When I use the rule set in question, I can ping and send mail but I > cannot > access the DNS servers listed in resolv.conf. > > These are the same DNS servers placed in resolv.conf when the firewall > is > open. > > I'm sorry, but I never said dc1 was my inside nic. > > Again, I appreciate any help with this. The files you requested > follow. Must admit, I'm in a hurry to leave for the day, so I haven't read the ruleset etc, but what happens if you use the following entries, just after the divert rule?: ...allow udp from any to any 53 keep-state ...allow udp from any 53 to any keep-state ...allow tcp from any to any 53 keep-state Steve > > Here's my ifconfig - a: > > sara# ifconfig -a > dc0: flags=8843 mtu 1500 > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 > ether 00:04:5a:76:55:f0 > media: Ethernet autoselect (100baseTX ) > status: active > dc1: flags=8843 mtu 1500 > inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 > inet 68.105.58.150 netmask 0xfffffe00 broadcast 68.105.59.255 > ether 00:a0:cc:33:e1:f6 > media: Ethernet autoselect (100baseTX ) > status: active > lp0: flags=8810 mtu 1500 > lo0: flags=8049 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > inet 127.0.0.1 netmask 0xff000000 > ppp0: flags=8010 mtu 1500 > sl0: flags=c010 mtu 552 > faith0: flags=8002 mtu 1500 > > Here's resolv.conf: > > sara# more /etc/resolv.conf > search pn.at.cox.net > nameserver 68.105.161.20 > nameserver 68.1.18.25 > nameserver 68.10.16.30 > > Here's the entire rule set I'm trying to use. > > I did follow the comments. > > Please note the variable pif is set to dc1, my outside nic. > > ################ Start of IPFW rules file > ############################### > # Flush out the list before we begin. > ipfw -q -f flush > # Set rules command prefix > cmd="ipfw -q add" > skip="skipto 800" > pif="dc1" # public interface name of Nic card > # facing the public internet > > > > ################################################################# > # No restrictions on Inside Lan Interface for private network > # Change xl0 to your Lan Nic card interface name > ################################################################# > $cmd 005 allow all from any to any via dc0 > > ################################################################# > # No restrictions on Loopback Interface > ################################################################# > $cmd 010 allow all from any to any via lo0 > > ################################################################# > # check if packet is inbound and nat address if it is > ################################################################# > $cmd 014 divert natd ip from any to any in via $pif > > ################################################################# > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by a allow keep-state statement. > ################################################################# > $cmd 015 check-state > > ################################################################# > # Interface facing Public internet (Outbound Section) > # Interrogate session start requests originating from behind the > # firewall on the private network or from this gateway server > # destine for the public internet. > ################################################################# > > # Allow out access to my ISP's Domain name server. > # x.x.x.x must be the IP address of your ISP's DNS > # Dup these lines if your ISP has more than one DNS server > # Get the IP addresses from /etc/resolv.conf file > $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup > keep-state > $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup > keep-state > $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup > keep-state > > # Allow out access to my ISP's DHCP server for cable/DSL > configurations. > $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state > > # Allow out non-secure standard www function > $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state > > # Allow out secure www function https over TLS SSL > $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state > > # Allow out send & get email function > $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state > $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state > > # Allow out FBSD (make install & CVSUP) functions > # Basically give user root "GOD" privileges. > $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid > root > > # Allow out ping > $cmd 080 $skip icmp from any to any out via $pif keep-state > > # Allow out Time > $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state > > # Allow out nntp news (IE: news groups) > $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state > > # Allow out secure FTP, Telnet, and SCP > # This function is using SSH (secure shell) > $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state > > # Allow out whois > $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state > > # Allow ntp time server > $cmd 130 $skip udp from any to any 123 out via $pif keep-state > > ################################################################# > # Interface facing Public internet (Inbound Section) > # Interrogate packets originating from the public internet > # destine for this gateway server or the private network. > ################################################################# > > # Deny all inbound traffic from non-routable reserved address spaces > $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 > private > IP > $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 > private > IP > $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 > private > IP > $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback > $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback > $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP > auto-config > $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved > for > doc's > $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun > cluster > $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & > E > multicast > > # Deny ident > $cmd 315 deny tcp from any to any 113 in via $pif > > # Deny all Netbios service. 137=name, 138=datagram, 139=session > # Netbios is MS/Windows sharing services. > # Block MS/Windows hosts2 name server requests 81 > $cmd 320 deny tcp from any to any 137 in via $pif > $cmd 321 deny tcp from any to any 138 in via $pif > $cmd 322 deny tcp from any to any 139 in via $pif > $cmd 323 deny tcp from any to any 81 in via $pif > > # Deny any late arriving packets > $cmd 330 deny all from any to any frag in via $pif > > # Deny ACK packets that did not match the dynamic rule table > $cmd 332 deny tcp from any to any established in via $pif > > # Allow traffic in from ISP's DHCP server. This rule must contain > # the IP address of your ISP's DHCP server as it's the only > # authorized source to send this packet type. > # Only necessary for cable or DSL configurations. > # This rule is not needed for 'user ppp' type connection to > # the public internet. This is the same IP address you captured > # and used in the outbound section. > $cmd 360 allow udp from 172.19.17.22 to any 68 in via $pif keep-state > > # Allow in standard www function because I have apache server > $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr > 2 > $cmd 370 allow tcp from any to me 8888 in via $pif setup limit > src-addr 2 > > # Allow in secure FTP, Telnet, and SCP from public Internet > $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr > 2 > > # Allow in non-secure Telnet session from public Internet > # labeled non-secure because ID & PW are passed over public > # internet as clear text. > # Delete this sample group if you do not have telnet server enabled. > # $cmd 390 allow tcp from any to me 23 in via $pif setup limit > src-addr 2 > > # Reject & Log all unauthorized incoming connections from the public > internet > $cmd 500 deny log all from any to any in via $pif > > # Reject & Log all unauthorized out going connections to the public > internet > > $cmd 550 deny log all from any to any out via $pif > > # This is skipto location for outbound stateful rules > $cmd 800 divert natd ip from any to any out via $pif > $cmd 801 allow ip from any to any > > # Everything else is denied by default > # deny and log all packets that fell through to see what they are > $cmd 999 deny log all from any to any > > > ################ End of IPFW rules file > ############################### > > Here's all of today's security ouput: > > Jul 31 07:50:36 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1649 > 193.0.14.129:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2671 > 68.105.161.20:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1042 > 68.1.18.25:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4365 > 68.10.16.30:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2365 > 68.105.161.20:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4325 > 68.1.18.25:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3378 > 68.10.16.30:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2952 > 68.105.161.20:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1359 > 68.1.18.25:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4738 > 68.10.16.30:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: limit 10 reached on entry 550 > Jul 31 07:51:42 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3860 > 68.105.58.150:21 in via dc1 > Jul 31 07:51:51 sara last message repeated 2 times > Jul 31 07:53:15 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3875 > 68.105.58.150:21 in via dc1 > Jul 31 07:53:24 sara last message repeated 2 times > Jul 31 07:53:32 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3878 > 68.105.58.150:21 in via dc1 > Jul 31 07:53:41 sara last message repeated 2 times > Jul 31 07:53:44 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3881 > 68.105.58.150:21 in via dc1 > Jul 31 07:53:44 sara /kernel: ipfw: limit 10 reached on entry 500 > Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.1.18.25:53 > 192.168.1.102:3232 in via dc1 > Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.105.161.20:53 > 192.168.1.102:3232 in via dc1 > Jul 31 08:14:33 sara /kernel: ipfw: 65000 Deny UDP 10.2.184.1:67 > 255.255.255.255:68 in via dc1 > Jul 31 08:15:28 sara last message repeated 2 times > Jul 31 08:15:47 sara last message repeated 5 times > Jul 31 08:15:47 sara /kernel: ipfw: limit 10 reached on entry 65000 > Jul 31 08:31:20 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3534 > 198.41.0.4:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 > 68.105.161.20:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 > 68.1.18.25:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 > 68.10.16.30:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4952 > 68.105.161.20:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2260 > 68.1.18.25:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4087 > 68.10.16.30:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4914 > 68.105.161.20:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1849 > 68.1.18.25:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2220 > 68.10.16.30:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: limit 10 reached on entry 550 > > Here's rc.conf again: > > # -- sysinstall generated deltas -- > # Sun Jul 4 10:40:48 2004 > # Created: Sun Jul 4 10:40:48 2004 > # Enable network daemons for user convenience. > # Please make all changes to this file, not to /etc/defaults/rc.conf. > # This file now contains just the overrides from > /etc/defaults/rc.conf. > hostname="sara.mshome.net" > ifconfig_dc1="DHCP" > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0" > firewall_enable="YES" firewall_script="/etc/ipfw.rules" > firewall_logging="YES" > kern_securelevel_enable="NO" > linux_enable="YES" > moused_enable="YES" > named_enable="YES" > nfs_client_enable="YES" > nfs_reserved_port_only="YES" > nfs_server_enable="YES" > sendmail_enable="YES" > sshd_enable="YES" > usbd_enable="YES" > ntpd_enable="YES" > inetd_enable="YES" > gateway_enable="YES" > natd_enable="YES" > natd_interface="dc1" > natd_flags="-dynamic" > > Here's dmesg.boot: > > Copyright (c) 1992-2004 The FreeBSD Project. > Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, > 1994 > The Regents of the University of California. All rights > reserved. > FreeBSD 4.10-RELEASE #8: Fri Jul 30 07:19:43 CDT 2004 > jcoulter@sara.mshome.net:/usr/obj/usr/src/sys/SARA > Timecounter "i8254" frequency 1193182 Hz > CPU: Intel Celeron (634.78-MHz 686-class CPU) > Origin = "GenuineIntel" Id = 0x686 Stepping = 6 > > Features=0x383f9ff PAT,PSE36,MMX,FXSR,SSE> > real memory = 134201344 (131056K bytes) > avail memory = 127057920 (124080K bytes) > Preloaded elf kernel "kernel" at 0xc0381000. > Pentium Pro MTRR support enabled > md0: Malloc disk > Using $PIR table, 8 entries at 0xc00f0e80 > npx0: on motherboard > npx0: INT 16 interface > pcib0: on motherboard > pci0: on pcib0 > agp0: mem > 0xe4000000-0xe7ffffff > at device 0.0 on pci0 > pcib1: at device 1.0 on > pci0 > pci1: on pcib1 > pci1: at 0.0 irq 11 > isab0: at device 4.0 on pci0 > isa0: on isab0 > atapci0: port 0xb800-0xb80f at device > 4.1 on > pci0 > ata0: at 0x1f0 irq 14 on atapci0 > ata1: at 0x170 irq 15 on atapci0 > uhci0: port 0xb400-0xb41f > irq 9 at > device 4.2 on pci0 > usb0: on uhci0 > usb0: USB revision 1.0 > uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 > uhub0: 2 ports with 2 removable, self powered > chip0: port 0xe800-0xe80f > at > device 4.3 on pci0 > dc0: port 0xb000-0xb0ff mem > 0xe1000000-0xe10003ff irq 12 at device 10.0 on pci0 > dc0: Ethernet address: 00:04:5a:76:55:f0 > miibus0: on dc0 > ukphy0: on miibus0 > ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto > dc1: port 0xa800-0xa8ff mem > 0xe0800000-0xe08000ff irq 10 at device 11.0 on pci0 > dc1: Ethernet address: 00:a0:cc:33:e1:f6 > miibus1: on dc1 > dcphy0: on miibus1 > dcphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto > isa0: too many dependant configs (8) > isa0: unexpected small tag 14 > orm0: