Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 10 Feb 2001 14:11:29 -0800 (PST)
From:      Benjamin Ossei <ben@cahostnet.net>
To:        "G D McKee" <freebsd@gdmckee.com>, questions@FreeBSD.ORG
Subject:   Re: Can't hit my own website from behind firewall
Message-ID:  <20010210221130.0797136F9@sitemail.everyone.net>

next in thread | raw e-mail | index | archive | help
In case attachment isn't any good.


# rc.ipfw - Firewall Rules
#
# This file is a modified version of /etc/rc.firewall.
#
# Maintained by:  Ben Ossei
# Modified:       01/30/2001.
#

# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
        . /etc/defaults/rc.conf
        source_rc_confs
elif [ -r /etc/rc.conf ]; then
        . /etc/rc.conf
fi

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi

# Firewall program
fwcmd="/sbin/ipfw"

# Outside interface network and netmask and ip
oif="xl0"
onet="24.180.132.0"
omask="255.255.255.0"
oip="24.180.132.54"

# Inside interface network and netmask and ip
iif="fxp0"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.1"

# My ISP's DNS servers
dns1="24.3.0.36"
dns2="24.3.0.37"

# Flush previous rules
${fwcmd} -f flush

# Allow loopbacks, deny imposters
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8

# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
#${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

# Network Address Translation.  This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules.  If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above.  Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via xl0 

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

#Allow all outbound connections
${fwcmd} add check-state
${fwcmd} add pass all from any to any out keep-state 

# Allow established connections with minimal overhead
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag


### TCP RULES

# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 keep-state 
#${fwcmd} add pass tcp from any to ${inet}:${imask} 80 setup
${fwcmd} add pass tcp from ${oif} to ${iif} 80 keep-state

# SMTP - Allow access to sendmail for incoming e-mail
${fwcmd} add pass tcp from any to any 25 setup
${fwcmd} add pass tcp from 24.2.2.70 to ${oif} 67 setup

# FTP - Allow incoming data channel for outgoing connections, 
# reject & log all incoming control connections
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
${fwcmd} add pass tcp from any to any 21 setup

# SSH Login - Allow & Log all incoming
${fwcmd} add pass log tcp from any to any 22 setup

#Allow Telnet
#${fwcmd} add pass tcp from any to any 23 in via ${oif} setup
${fwcmd} add pass tcp from 162.6.224.88 to any in via ${oif} 23 setup
#${fwcmd} add pass tcp from any to any 23 out
${fwcmd} add deny log tcp from any to any 23 in via ${oif} setup
 
#Allow SSL
${fwcmd} add check-state
${fwcmd} add pass tcp from any to any 443 in via xl0 keep-state 
${fwcmd} add check-state
${fwcmd} add pass tcp from ${oif} to ${iif} 443 in keep-state

# IDENT - Reset incoming connections 
${fwcmd} add reset tcp from any to any 113 in via ${oif} setup

# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
#${fwcmd} add pass tcp from any to any setup


### UDP RULES

# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53
${fwcmd} add pass udp from any to ${dns2} 53
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oif} to ${iif} 53
${fwcmd} add pass udp from any to ${oip} 53

# SMB - Allow local traffic
${fwcmd} add pass udp from any to any 137-139 via ${iif}

# SYSLOG - Allow machines on inside net to log to us.
${fwcmd} add pass udp from any to any 514 via ${iif}

# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${oif}
${fwcmd} add pass udp from any 123 to any via ${iif}
${fwcmd} add pass udp from any to any 123 via ${iif}

# TRACEROUTE - Allow outgoing 
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}


### ICMP RULES

# ICMP packets
# Allow all ICMP packets on internal interface
${fwcmd} add pass icmp from any to any via ${iif}  

# Allow outgoing pings
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}           

# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}

# Deny the rest of them
${fwcmd} add deny icmp from any to any


### MISCELLANEOUS REJECT RULES

# Reject broadcasts from outside interface
#${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}

# Reject&Log SMB connections on outside interface
#${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}

# Reject&Log all other connections from outside interface
#${fwcmd} add 65000 deny log ip from any to any via ${oif}

#This to have denied packets dumped to the console
${fwcmd} add deny log ip from any to any

# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.


--- "G D McKee" <freebsd@gdmckee.com>
> wrote:
>Hi
>
>Can we have a look at your firewall config file.  There isn't a lot to go on
>here.
>
>Gordon
>----- Original Message -----
>From: "Benjamin Ossei" <ben@cahostnet.net>
>To: <questions@FreeBSD.ORG>
>Sent: Saturday, February 10, 2001 9:02 PM
>Subject: Can't hit my own website from behind firewall
>
>
>> I can't seem to hit my own web server from a machine on my internal
>network.  I have a dualhomed bsd running as a firewall.  I allow everything
>going outbound using keep-state and check-state (not in that order).  I'm
>using NAT to get to my web server which is using a 192.168.1.x IP address.
>I can hit the server fine from the outside but from the machine behind the
>firewall I can't.  What might be blocking this?  I also allow http,ftp, ssh,
>dns inbound.
>>
>> Thanks..
>>
>> _____________________________________________________________
>> ========GET YOUR FREE E-MAIL============
>> http://freemail.cahostnet.net
>> Web Hosting http://www.cahostnet.com
>>
>>
>> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> with "unsubscribe freebsd-questions" in the body of the message
>>
>>
>>
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message

_____________________________________________________________
========GET YOUR FREE E-MAIL============
http://freemail.cahostnet.net
Web Hosting http://www.cahostnet.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010210221130.0797136F9>