Date: Sat, 10 Feb 2001 14:11:29 -0800 (PST) From: Benjamin Ossei <ben@cahostnet.net> To: "G D McKee" <freebsd@gdmckee.com>, questions@FreeBSD.ORG Subject: Re: Can't hit my own website from behind firewall Message-ID: <20010210221130.0797136F9@sitemail.everyone.net>
next in thread | raw e-mail | index | archive | help
In case attachment isn't any good. # rc.ipfw - Firewall Rules # # This file is a modified version of /etc/rc.firewall. # # Maintained by: Ben Ossei # Modified: 01/30/2001. # # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi # Firewall program fwcmd="/sbin/ipfw" # Outside interface network and netmask and ip oif="xl0" onet="24.180.132.0" omask="255.255.255.0" oip="24.180.132.54" # Inside interface network and netmask and ip iif="fxp0" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.1" # My ISP's DNS servers dns1="24.3.0.36" dns2="24.3.0.37" # Flush previous rules ${fwcmd} -f flush # Allow loopbacks, deny imposters ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} #${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. ${fwcmd} add divert natd all from any to any via xl0 # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} #Allow all outbound connections ${fwcmd} add check-state ${fwcmd} add pass all from any to any out keep-state # Allow established connections with minimal overhead ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag ### TCP RULES # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 keep-state #${fwcmd} add pass tcp from any to ${inet}:${imask} 80 setup ${fwcmd} add pass tcp from ${oif} to ${iif} 80 keep-state # SMTP - Allow access to sendmail for incoming e-mail ${fwcmd} add pass tcp from any to any 25 setup ${fwcmd} add pass tcp from 24.2.2.70 to ${oif} 67 setup # FTP - Allow incoming data channel for outgoing connections, # reject & log all incoming control connections ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add pass tcp from any to any 21 setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 setup #Allow Telnet #${fwcmd} add pass tcp from any to any 23 in via ${oif} setup ${fwcmd} add pass tcp from 162.6.224.88 to any in via ${oif} 23 setup #${fwcmd} add pass tcp from any to any 23 out ${fwcmd} add deny log tcp from any to any 23 in via ${oif} setup #Allow SSL ${fwcmd} add check-state ${fwcmd} add pass tcp from any to any 443 in via xl0 keep-state ${fwcmd} add check-state ${fwcmd} add pass tcp from ${oif} to ${iif} 443 in keep-state # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection #${fwcmd} add pass tcp from any to any setup ### UDP RULES # DNS - Allow queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 ${fwcmd} add pass udp from any to ${dns2} 53 ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oif} to ${iif} 53 ${fwcmd} add pass udp from any to ${oip} 53 # SMB - Allow local traffic ${fwcmd} add pass udp from any to any 137-139 via ${iif} # SYSLOG - Allow machines on inside net to log to us. ${fwcmd} add pass udp from any to any 514 via ${iif} # NTP - Allow queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${oif} ${fwcmd} add pass udp from any 123 to any via ${iif} ${fwcmd} add pass udp from any to any 123 via ${iif} # TRACEROUTE - Allow outgoing ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface ${fwcmd} add pass icmp from any to any via ${iif} # Allow outgoing pings ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add deny icmp from any to any ### MISCELLANEOUS REJECT RULES # Reject broadcasts from outside interface #${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} # Reject&Log SMB connections on outside interface #${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} # Reject&Log all other connections from outside interface #${fwcmd} add 65000 deny log ip from any to any via ${oif} #This to have denied packets dumped to the console ${fwcmd} add deny log ip from any to any # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. --- "G D McKee" <freebsd@gdmckee.com> > wrote: >Hi > >Can we have a look at your firewall config file. There isn't a lot to go on >here. > >Gordon >----- Original Message ----- >From: "Benjamin Ossei" <ben@cahostnet.net> >To: <questions@FreeBSD.ORG> >Sent: Saturday, February 10, 2001 9:02 PM >Subject: Can't hit my own website from behind firewall > > >> I can't seem to hit my own web server from a machine on my internal >network. I have a dualhomed bsd running as a firewall. I allow everything >going outbound using keep-state and check-state (not in that order). I'm >using NAT to get to my web server which is using a 192.168.1.x IP address. >I can hit the server fine from the outside but from the machine behind the >firewall I can't. What might be blocking this? I also allow http,ftp, ssh, >dns inbound. >> >> Thanks.. >> >> _____________________________________________________________ >> ========GET YOUR FREE E-MAIL============ >> http://freemail.cahostnet.net >> Web Hosting http://www.cahostnet.com >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >> >> >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message _____________________________________________________________ ========GET YOUR FREE E-MAIL============ http://freemail.cahostnet.net Web Hosting http://www.cahostnet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010210221130.0797136F9>