Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 28 Apr 2001 01:26:50 -0500
From:      "Maciuszonek Artur" <ummacius@cc.UManitoba.CA>
To:        <freebsd-questions@freebsd.org>, <freebsd-security@freebsd.org>
Subject:   outlook express, ipx and ftp :)
Message-ID:  <001a01c0cfac$361bf3e0$0a036d18@ivideon.com>

next in thread | raw e-mail | index | archive | help
Well I have read and read, searched and searched but I guess it's time to
consult the experts :)
please reply to me directly for I am not subscribed to this group.

Here is the dillema:  I have set up a firewall/router and have recompiled
the kernel for ipfw and natd.
Here is my current setup:

=> cable modem => ep1(external nic 24.109.xxx.xxx)
                                **router/firewall**
                                ep0(internal nic192.168.xxx.xxx)
                                <=> HUB
                                <=> 192.168.xxx.xxx Computer(Win ME)
                                <=> 192.168.xxx.xxx Laptop (Win 2000)

What I am having problems with is that on the main computer on the subnet I
am unable to use Outlook express to view newsgroups.
I can suft the web, download files, I can use napster, ICQ.  I have read the
man pages for ipfw but I'm still at a loss.

The error message I receive is:

Server cannot be found:
Configuration:
   Account: news
   Server: news
   Protocol: NNTP
   Port: 119
   Secure(SSL): 0
   Code: 800ccc0d

I added the line in the rc.firewall.current ( see below ) after the rule for
ssh (port 22) but without any
luck.
$fwcmd add allow tcp from any 119 to any 119 setup
I have looked through /etc/protocols but none are listed for NNTP......:(

I also would like to be able to let IPX thought the firewall to the outside
and let it back in.
again there is no listing for IPX in /etc/protocols :(
The same goes for acess to an ftp server that in on the main computer in the
internal subnet.
The server is on port 27015.   Again I have tried to use

add allow tcp from any 27015 to any 27015 setup
add allow ipx-in-ip from any to any setup

and again no luck.
I have also modified
# Stop spoofing of your internal network range
 $fwcmd add deny log ip from $inwr to any in via $oif

>From deny to allow in order for the internal network to be able to acess
the
outside.  Does this pose any
security issues?

Hmm sorry about the lengthy e-mail but I hope someone will help me tackle
this problem.

###########################################################3
# Simple stateful network firewall rules for IPFW with NAT v. 1.01
# See bottom of file for instructions and description of rules
# Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great
# deal of help from freebsd-security@freebsd.org).  Specific questions
# about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or
# more general security questions to freebsd-security@freebsd.org.
# Use this script at your own risk.
#
# if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet
# calculator can help you. /usr/ports/net/ipsc-0.4.2
#
###########################
#
# Brief Installation instructions
#
# Name this script /etc/rc.firewall.current
# Edit /etc/rc.conf to include
#  gateway_enable="YES"
#  firewall_enable="YES"
#  firewall_script="/etc/rc.firewall.current"
#  natd_enable="YES"
#  natd_interface="***"  #replace with your external ifX
#  natd_flags="-dynamic"
# Make sure your kernel is configured to handle ipfw and natd
# See the FreeBSD handbook on how to do this.
#
############################
#
# Define your variables
#
fwcmd="/sbin/ipfw" #leave as is if using ipfw
oif="oifx"  #set to outside interface name
onwr="a.b.c.d/24" #set to outside network range
oip="a.b.c.d"  #set to outside ip address

iif="ifx"  #set to internal interface name
inwr="x.y.z.x/24" #set to internal network range
iip="x.y.z.x"  #set to internal ip address

ns1="e.f.g.h"  #set to primary name server best if = oif
#ntp="i.j.k.l"  #set to ip of NTP server or leave as is

#
# End of required user input if you only intend to allow ssh connections to
# this box from the outside. If other services are required, edit line 96
# as necessary.
#
# Rules with descriptions
#
#
# Force a flush of the current firewall rules before we reload
 $fwcmd -f flush
#
# Allow your loop back to work
 $fwcmd add allow all from any to any via lo0
#
# Prevent spoofing of your loopback
 $fwcmd add deny log all from any to 127.0.0.0/8
#
# Stop spoofing of your internal network range
 $fwcmd add deny log ip from $inwr to any in via $oif
#
# Stop spoofing from inside your private ip range
 $fwcmd add deny log ip from not $inwr to any in via $iif
#
# Stop private networks (RFC1918) from entering the outside interface.
 $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
 $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
 $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
 $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
 $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
 $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif
#
#  Stop draft-manning-dsua-01.txt nets on the outside interface
 $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
 $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
 $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
 $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
 $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
 $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
 $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
 $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
 $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
 $fwcmd add deny all from any to 240.0.0.0/4 in via $oif
#
# Divert all packets through natd
 $fwcmd add divert natd all from any to any via $oif
#
# Allow all established connections to persist (setup required
# for new connections).
 $fwcmd add allow tcp from any to any established
#
# Allow incomming requests to reach the following services:
# To allow multiple services you may list them separated
# by a coma, for example ...to $oip 22,25,110,80 setup
 $fwcmd add allow tcp from any to $oip 22 setup
#
# NOTE: you may have to change your client to passive or active mode
#  to get ftp to work once enabled, only ssh enabled by default.
# 21:ftp
# 22:ssh  enabled by default
# 23:telnet
# 25:smtp
# 110:pop
# 143:imap
# 80:http
# 443:ssl
#
# Allow icmp packets for diagnostic purposes (ping traceroute)
# you may wish to leave commented out.
# $fwcmd add allow icmp from any to any
#
# Allow required ICMP
 $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
#
# Allow DNS traffic from internet to query your DNS (for reverse
# lookups etc).
 $fwcmd add allow udp from any 53 to $ns1 53
#
# Allow time update traffic
# $fwcmd add allow udp from $ntp 123 to $oip 123
#
# Checks packets against dynamic rule set below.
 $fwcmd add check-state
#
# Allow any traffic from firewall ip to any going out the
# external interface
 $fwcmd add allow ip from $oip to any keep-state out via $oif
#
# Allow any traffic from local network to any passing through the
# internal interface
 $fwcmd add allow ip from $inwr to any keep-state via $iif
#
# Deny everything else
 $fwcmd add 65435 deny log ip from any to any
#
#####################################################
#
# End firewall script.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001a01c0cfac$361bf3e0$0a036d18>