Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 28 Apr 2001 06:25:02 -0500
From:      "Sean Chisek" <devotwo@home.com>
To:        "Maciuszonek Artur" <ummacius@cc.UManitoba.CA>, <freebsd-questions@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG>
Subject:   Re: outlook express, ipx and ftp :)
Message-ID:  <000d01c0cfd5$de1f70c0$0201a8c0@sardarji19>
References:  <001a01c0cfac$361bf3e0$0a036d18@ivideon.com>

next in thread | previous in thread | raw e-mail | index | archive | help
I do the same type of thing with an OpenBSD firewall.  In Windoze, when
setting up Outlook, you will need to enter the full path to your news server
like news.whatever.com.  Also, make sure you are allowing your outside
interface to get to your news server's IP address.


----- Original Message -----
From: "Maciuszonek Artur" <ummacius@cc.UManitoba.CA>
To: <freebsd-questions@FreeBSD.ORG>; <freebsd-security@FreeBSD.ORG>
Sent: Saturday, April 28, 2001 1:26 AM
Subject: outlook express, ipx and ftp :)


> Well I have read and read, searched and searched but I guess it's time to
> consult the experts :)
> please reply to me directly for I am not subscribed to this group.
>
> Here is the dillema:  I have set up a firewall/router and have recompiled
> the kernel for ipfw and natd.
> Here is my current setup:
>
> => cable modem => ep1(external nic 24.109.xxx.xxx)
>                                 **router/firewall**
>                                 ep0(internal nic192.168.xxx.xxx)
>                                 <=> HUB
>                                 <=> 192.168.xxx.xxx Computer(Win ME)
>                                 <=> 192.168.xxx.xxx Laptop (Win 2000)
>
> What I am having problems with is that on the main computer on the subnet
I
> am unable to use Outlook express to view newsgroups.
> I can suft the web, download files, I can use napster, ICQ.  I have read
the
> man pages for ipfw but I'm still at a loss.
>
> The error message I receive is:
>
> Server cannot be found:
> Configuration:
>    Account: news
>    Server: news
>    Protocol: NNTP
>    Port: 119
>    Secure(SSL): 0
>    Code: 800ccc0d
>
> I added the line in the rc.firewall.current ( see below ) after the rule
for
> ssh (port 22) but without any
> luck.
> $fwcmd add allow tcp from any 119 to any 119 setup
> I have looked through /etc/protocols but none are listed for NNTP......:(
>
> I also would like to be able to let IPX thought the firewall to the
outside
> and let it back in.
> again there is no listing for IPX in /etc/protocols :(
> The same goes for acess to an ftp server that in on the main computer in
the
> internal subnet.
> The server is on port 27015.   Again I have tried to use
>
> add allow tcp from any 27015 to any 27015 setup
> add allow ipx-in-ip from any to any setup
>
> and again no luck.
> I have also modified
> # Stop spoofing of your internal network range
>  $fwcmd add deny log ip from $inwr to any in via $oif
>
> >From deny to allow in order for the internal network to be able to acess
> the
> outside.  Does this pose any
> security issues?
>
> Hmm sorry about the lengthy e-mail but I hope someone will help me tackle
> this problem.
>
> ###########################################################3
> # Simple stateful network firewall rules for IPFW with NAT v. 1.01
> # See bottom of file for instructions and description of rules
> # Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great
> # deal of help from freebsd-security@freebsd.org).  Specific questions
> # about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or
> # more general security questions to freebsd-security@freebsd.org.
> # Use this script at your own risk.
> #
> # if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet
> # calculator can help you. /usr/ports/net/ipsc-0.4.2
> #
> ###########################
> #
> # Brief Installation instructions
> #
> # Name this script /etc/rc.firewall.current
> # Edit /etc/rc.conf to include
> #  gateway_enable="YES"
> #  firewall_enable="YES"
> #  firewall_script="/etc/rc.firewall.current"
> #  natd_enable="YES"
> #  natd_interface="***"  #replace with your external ifX
> #  natd_flags="-dynamic"
> # Make sure your kernel is configured to handle ipfw and natd
> # See the FreeBSD handbook on how to do this.
> #
> ############################
> #
> # Define your variables
> #
> fwcmd="/sbin/ipfw" #leave as is if using ipfw
> oif="oifx"  #set to outside interface name
> onwr="a.b.c.d/24" #set to outside network range
> oip="a.b.c.d"  #set to outside ip address
>
> iif="ifx"  #set to internal interface name
> inwr="x.y.z.x/24" #set to internal network range
> iip="x.y.z.x"  #set to internal ip address
>
> ns1="e.f.g.h"  #set to primary name server best if = oif
> #ntp="i.j.k.l"  #set to ip of NTP server or leave as is
>
> #
> # End of required user input if you only intend to allow ssh connections
to
> # this box from the outside. If other services are required, edit line 96
> # as necessary.
> #
> # Rules with descriptions
> #
> #
> # Force a flush of the current firewall rules before we reload
>  $fwcmd -f flush
> #
> # Allow your loop back to work
>  $fwcmd add allow all from any to any via lo0
> #
> # Prevent spoofing of your loopback
>  $fwcmd add deny log all from any to 127.0.0.0/8
> #
> # Stop spoofing of your internal network range
>  $fwcmd add deny log ip from $inwr to any in via $oif
> #
> # Stop spoofing from inside your private ip range
>  $fwcmd add deny log ip from not $inwr to any in via $iif
> #
> # Stop private networks (RFC1918) from entering the outside interface.
>  $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
>  $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
>  $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
>  $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
>  $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
>  $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif
> #
> #  Stop draft-manning-dsua-01.txt nets on the outside interface
>  $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
>  $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
>  $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
>  $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
>  $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
>  $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
>  $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
>  $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
>  $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
>  $fwcmd add deny all from any to 240.0.0.0/4 in via $oif
> #
> # Divert all packets through natd
>  $fwcmd add divert natd all from any to any via $oif
> #
> # Allow all established connections to persist (setup required
> # for new connections).
>  $fwcmd add allow tcp from any to any established
> #
> # Allow incomming requests to reach the following services:
> # To allow multiple services you may list them separated
> # by a coma, for example ...to $oip 22,25,110,80 setup
>  $fwcmd add allow tcp from any to $oip 22 setup
> #
> # NOTE: you may have to change your client to passive or active mode
> #  to get ftp to work once enabled, only ssh enabled by default.
> # 21:ftp
> # 22:ssh  enabled by default
> # 23:telnet
> # 25:smtp
> # 110:pop
> # 143:imap
> # 80:http
> # 443:ssl
> #
> # Allow icmp packets for diagnostic purposes (ping traceroute)
> # you may wish to leave commented out.
> # $fwcmd add allow icmp from any to any
> #
> # Allow required ICMP
>  $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
> #
> # Allow DNS traffic from internet to query your DNS (for reverse
> # lookups etc).
>  $fwcmd add allow udp from any 53 to $ns1 53
> #
> # Allow time update traffic
> # $fwcmd add allow udp from $ntp 123 to $oip 123
> #
> # Checks packets against dynamic rule set below.
>  $fwcmd add check-state
> #
> # Allow any traffic from firewall ip to any going out the
> # external interface
>  $fwcmd add allow ip from $oip to any keep-state out via $oif
> #
> # Allow any traffic from local network to any passing through the
> # internal interface
>  $fwcmd add allow ip from $inwr to any keep-state via $iif
> #
> # Deny everything else
>  $fwcmd add 65435 deny log ip from any to any
> #
> #####################################################
> #
> # End firewall script.
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000d01c0cfd5$de1f70c0$0201a8c0>