Date: Sat, 4 Aug 2001 04:28:17 -0500 (CDT) From: Douglas Carmichael <dcarmich@ourservers.net> To: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Can't access the Internet from behind a 192.168.1.x net using natd Message-ID: <200108040928.f749SH400571@nightfly.ourservers.net>
next in thread | raw e-mail | index | archive | help
Version: 4.3-RELEASE
Scenario:
tun0 - user-PPP based connection via a modem, IP: 205.253.153.129
xl0 - local Ethernet, IP: 192.168.1.1 (client IP: 192.168.1.2)
I bring up the PPP interface with ppp -auto xnet (my system name in
/etc/ppp/ppp.conf) and I can access the net both locally from the FreeBSD
system and from my Ethernet-attached client after a 'nat enable yes'
command. However, even if I dial from the ppp command prompt and _then_
start natd (i.e. 'natd -dynamic -interface tun0 -unregistered_only'), no
packets go across the external interface.
Here's one set of firewall rules I tried:
# Simple stateful network firewall rules for IPFW with NAT v. 1.01
# See bottom of file for instructions and description of rules
# Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great
# deal of help from freebsd-security@freebsd.org). Specific questions
# about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or
# more general security questions to freebsd-security@freebsd.org.
# Use this script at your own risk.
#
# if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet
# calculator can help you. /usr/ports/net/ipsc-0.4.2
#
###########################
#
# Brief Installation instructions
#
# Name this script /etc/rc.firewall.current
# Edit /etc/rc.conf to include
# gateway_enable="YES"
# firewall_enable="YES"
# firewall_script="/etc/rc.firewall.current"
# natd_enable="YES"
# natd_interface="***" #replace with your external ifX
# natd_flags="-dynamic"
# Make sure your kernel is configured to handle ipfw and natd
# See the FreeBSD handbook on how to do this.
#
############################
#
# Define your variables
#
fwcmd="/sbin/ipfw" #leave as is if using ipfw
oif="tun0" #set to outside interface name
oip="205.253.153.129" #set to outside ip address
iif="xl0" #set to internal interface name
inwr="192.168.1.0/24" #set to internal network range
iip="192.168.1.1" #set to internal ip address
ns1="198.147.221.34" #set to primary name server best if = oif
#ntp="i.j.k.l" #set to ip of NTP server or leave as is
#
# End of required user input if you only intend to allow ssh connections to
# this box from the outside. If other services are required, edit line 96
# as necessary.
#
# Rules with descriptions
#
#
# Force a flush of the current firewall rules before we reload
$fwcmd -f flush
#
# Allow your loop back to work
$fwcmd add allow all from any to any via lo0
#
# Prevent spoofing of your loopback
$fwcmd add deny log all from any to 127.0.0.0/8
#
# Stop spoofing of your internal network range
$fwcmd add deny log ip from $inwr to any in via $oif
#
# Stop spoofing from inside your private ip range
$fwcmd add deny log ip from not $inwr to any in via $iif
#
# Stop private networks (RFC1918) from entering the outside interface.
$fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
$fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
$fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
$fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
$fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
$fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif
#
# Stop draft-manning-dsua-01.txt nets on the outside interface
$fwcmd add deny all from 0.0.0.0/8 to any in via $oif
$fwcmd add deny all from 169.254.0.0/16 to any in via $oif
$fwcmd add deny all from 192.0.2.0/24 to any in via $oif
$fwcmd add deny all from 224.0.0.0/4 to any in via $oif
$fwcmd add deny all from 240.0.0.0/4 to any in via $oif
$fwcmd add deny all from any to 0.0.0.0/8 in via $oif
$fwcmd add deny all from any to 169.254.0.0/16 in via $oif
$fwcmd add deny all from any to 192.0.2.0/24 in via $oif
$fwcmd add deny all from any to 224.0.0.0/4 in via $oif
$fwcmd add deny all from any to 240.0.0.0/4 in via $oif
#
# Divert all packets through natd
$fwcmd add divert natd all from any to any via $oif
#
# Allow all established connections to persist (setup required
# for new connections).
$fwcmd add allow tcp from any to any established
#
# Allow incoming requests to reach the following services:
# To allow multiple services you may list them separated
# by a coma, for example ...to $oip 22,25,110,80 setup
$fwcmd add allow tcp from any to $oip 22 setup
#
# NOTE: you may have to change your client to passive or active mode
# to get ftp to work once enabled, only ssh enabled by default.
# 21:ftp
# 22:ssh enabled by default
# 23:telnet
# 25:smtp
# 110:pop
# 143:imap
# 80:http
# 443:ssl
#
# Allow icmp packets for diagnostic purposes (ping traceroute)
# you may wish to leave commented out.
# $fwcmd add allow icmp from any to any
#
# Allow required ICMP
$fwcmd add allow icmp from any to any icmptypes 3,4,11,12
#
# Allow DNS traffic from internet to query your DNS (for reverse
# lookups etc).
$fwcmd add allow udp from any 53 to $ns1 53
#
# Allow time update traffic
# $fwcmd add allow udp from $ntp 123 to $oip 123
#
# Checks packets against dynamic rule set below.
$fwcmd add check-state
#
# Allow any traffic from firewall ip to any going out the
# external interface
$fwcmd add allow ip from $oip to any keep-state out via $oif
#
# Allow any traffic from local network to any passing through the
# internal interface
$fwcmd add allow ip from $inwr to any keep-state via $iif
#
# Deny everything else
$fwcmd add 65435 deny log ip from any to any
#
#####################################################
#
# End firewall script.
I also tried the 'client' set of rules from the default /etc/rc.firewall:
############
# This is a prototype setup that will protect your system somewhat
# against people from outside your own network.
############
# set these to your network and netmask and ip
net="192.168.1.0"
mask="255.255.255.0"
ip="192.168.1.1"
# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${ip} to ${net}:${mask}
${fwcmd} add pass all from ${net}:${mask} to ${ip}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${ip} 25 setup
# Allow setup of outgoing TCP connections only
${fwcmd} add pass tcp from ${ip} to any setup
# Disallow setup of all other TCP connections
${fwcmd} add deny tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${ip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${ip} to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
None of them worked.
What could be the problem? Any comments are welcome.
PS: When I tried just using 'nat enable yes' and doing packet filtering
with the 'set filter' commands, the filtering did not have any effect.
(i.e. I could still telnet out even after filtering TCP port 23.)
Any ideas?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108040928.f749SH400571>