Date: Sat, 28 Apr 2001 01:26:50 -0500 From: "Maciuszonek Artur" <ummacius@cc.UManitoba.CA> To: <freebsd-questions@freebsd.org>, <freebsd-security@freebsd.org> Subject: outlook express, ipx and ftp :) Message-ID: <001a01c0cfac$361bf3e0$0a036d18@ivideon.com>
next in thread | raw e-mail | index | archive | help
Well I have read and read, searched and searched but I guess it's time to consult the experts :) please reply to me directly for I am not subscribed to this group. Here is the dillema: I have set up a firewall/router and have recompiled the kernel for ipfw and natd. Here is my current setup: => cable modem => ep1(external nic 24.109.xxx.xxx) **router/firewall** ep0(internal nic192.168.xxx.xxx) <=> HUB <=> 192.168.xxx.xxx Computer(Win ME) <=> 192.168.xxx.xxx Laptop (Win 2000) What I am having problems with is that on the main computer on the subnet I am unable to use Outlook express to view newsgroups. I can suft the web, download files, I can use napster, ICQ. I have read the man pages for ipfw but I'm still at a loss. The error message I receive is: Server cannot be found: Configuration: Account: news Server: news Protocol: NNTP Port: 119 Secure(SSL): 0 Code: 800ccc0d I added the line in the rc.firewall.current ( see below ) after the rule for ssh (port 22) but without any luck. $fwcmd add allow tcp from any 119 to any 119 setup I have looked through /etc/protocols but none are listed for NNTP......:( I also would like to be able to let IPX thought the firewall to the outside and let it back in. again there is no listing for IPX in /etc/protocols :( The same goes for acess to an ftp server that in on the main computer in the internal subnet. The server is on port 27015. Again I have tried to use add allow tcp from any 27015 to any 27015 setup add allow ipx-in-ip from any to any setup and again no luck. I have also modified # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif >From deny to allow in order for the internal network to be able to acess the outside. Does this pose any security issues? Hmm sorry about the lengthy e-mail but I hope someone will help me tackle this problem. ###########################################################3 # Simple stateful network firewall rules for IPFW with NAT v. 1.01 # See bottom of file for instructions and description of rules # Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great # deal of help from freebsd-security@freebsd.org). Specific questions # about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or # more general security questions to freebsd-security@freebsd.org. # Use this script at your own risk. # # if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet # calculator can help you. /usr/ports/net/ipsc-0.4.2 # ########################### # # Brief Installation instructions # # Name this script /etc/rc.firewall.current # Edit /etc/rc.conf to include # gateway_enable="YES" # firewall_enable="YES" # firewall_script="/etc/rc.firewall.current" # natd_enable="YES" # natd_interface="***" #replace with your external ifX # natd_flags="-dynamic" # Make sure your kernel is configured to handle ipfw and natd # See the FreeBSD handbook on how to do this. # ############################ # # Define your variables # fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="oifx" #set to outside interface name onwr="a.b.c.d/24" #set to outside network range oip="a.b.c.d" #set to outside ip address iif="ifx" #set to internal interface name inwr="x.y.z.x/24" #set to internal network range iip="x.y.z.x" #set to internal ip address ns1="e.f.g.h" #set to primary name server best if = oif #ntp="i.j.k.l" #set to ip of NTP server or leave as is # # End of required user input if you only intend to allow ssh connections to # this box from the outside. If other services are required, edit line 96 # as necessary. # # Rules with descriptions # # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via $oif $fwcmd add deny all from 169.254.0.0/16 to any in via $oif $fwcmd add deny all from 192.0.2.0/24 to any in via $oif $fwcmd add deny all from 224.0.0.0/4 to any in via $oif $fwcmd add deny all from 240.0.0.0/4 to any in via $oif $fwcmd add deny all from any to 0.0.0.0/8 in via $oif $fwcmd add deny all from any to 169.254.0.0/16 in via $oif $fwcmd add deny all from any to 192.0.2.0/24 in via $oif $fwcmd add deny all from any to 224.0.0.0/4 in via $oif $fwcmd add deny all from any to 240.0.0.0/4 in via $oif # # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established # # Allow incomming requests to reach the following services: # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup $fwcmd add allow tcp from any to $oip 22 setup # # NOTE: you may have to change your client to passive or active mode # to get ftp to work once enabled, only ssh enabled by default. # 21:ftp # 22:ssh enabled by default # 23:telnet # 25:smtp # 110:pop # 143:imap # 80:http # 443:ssl # # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. # $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). $fwcmd add allow udp from any 53 to $ns1 53 # # Allow time update traffic # $fwcmd add allow udp from $ntp 123 to $oip 123 # # Checks packets against dynamic rule set below. $fwcmd add check-state # # Allow any traffic from firewall ip to any going out the # external interface $fwcmd add allow ip from $oip to any keep-state out via $oif # # Allow any traffic from local network to any passing through the # internal interface $fwcmd add allow ip from $inwr to any keep-state via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001a01c0cfac$361bf3e0$0a036d18>