Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Oct 1998 22:05:22 -0400
From:      "Matt Prigge" <prigge@bucknell.edu>
To:        "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG>
Subject:   Help! Natd & ipfw
Message-ID:  <070701bdfbce$1848c960$28735286@prigge.resnet.bucknell.edu>

next in thread | raw e-mail | index | archive | help
Hi everyone!  I am trying to set up a firewall on FreeBSD 2.2.7 using natd
and ipfw. I have been using the "OPEN" setting sucessfully for quite a
while, but due to the increasing importance of security in this application
am trying to tighten things down a bit. I made up this rc.firewall using
bits and peices of the SIMPLE rc.firewall that is provided with ipfw. The
problem is that when the server tries to respond to a TCP setup packet for
any type of connection (ssh, popmail, and telnet in this case) it responds
with a "natd: failed to write packet back (Permission denied)" error to the
console. I have all of the kernel options that are required installed and
working, so that is not the problem. I have attached a copy of my
rc.firewall and a snippet of the /var/log/messages log that shows the sort
of thing that im talking about. I hope someone can help as this is getting
more frustrating the more I work with it. Mailing me directly is fine.
Thanks!

-Matt Prigge

(note that each time there is an inbound connection, natd routes it
correctly and one would assume that everything gets to where its supposed to
go. on the other hand, when an outbound packet is sent from the firewall,
natd issues an error. I tried to fix this with the "$fwcmd add pass all from
any to any out via ${oif}" line of rc.firewall, but that didnt do the trick.
Also note that most of the ip addresses here are fake, in the real log and
real rc.firewall they are correct.)

START-----/var/log/messages:
Oct 19 20:07:41 firewall /kernel: ipfw: 100 Divert 8668 TCP
888.82.115.40:2336  888.166.82.122:22 in via ep0
Oct 19 20:07:50 firewall last message repeated 6 times
Oct 19 20:07:51 firewall /kernel: ipfw: 100 Divert 8668 TCP
888.28.193.192:1716 888.166.82.122:110 in via ep0
Oct 19 20:07:54 firewall /kernel: ipfw: 100 Divert 8668 TCP
888.28.193.192:1716 888.166.82.122:110 in via ep0
Oct 19 20:07:55 firewall /kernel: ipfw: 100 Divert 8668 TCP
888.166.82.122:22 888.82.115.40:2336 out via ep0
Oct 19 20:07:55 firewall /kernel: ipfw: 100 Divert 8668 TCP
888.166.82.122:22 888.82.115.40:2335 out via ep0
Oct 19 20:07:55 firewall natd: failed to write packet back (Permission
denied)
Oct 19 20:07:55 firewall natd: failed to write packet back (Permission
denied)
Oct 19 20:07:58 firewall /kernel: ipfw: 100 Divert 8668 ICMP:8.0 888.97.16.3
888.166.82.122 in via ep0
Oct 19 20:08:04 firewall last message repeated 6 times
Oct 19 20:08:18 firewall /kernel: ipfw: 100 Divert 8668 TCP 888.97.16.3:4575
888.166.82.122:23 in via ep0
Oct 19 20:08:24 firewall last message repeated 2 times
Oct 19 20:08:59 firewall /kernel: ipfw: 100 Divert 8668 TCP
888.166.82.122:22 888.82.115.40:2336 out via ep0
Oct 19 20:08:59 firewall /kernel: ipfw: 100 Divert 8668 TCP
888.166.82.122:22 888.82.115.40:2335 out via ep0
Oct 19 20:08:59 firewall natd: failed to write packet back (Permission
denied)
Oct 19 20:08:59 firewall natd: failed to write packet back (Permission
denied)
END-----/var/log/messages


(note that almost every line has a "log" statement in it. I was doing that
to try to track down where the problem was occuring. No luck. It always dies
on line 100.)
START-----/etc/rc.firewall
################
# Custom Setup file for Firewall
# Matt Prigge - 10-17-98
#

if [ -f /etc/rc.conf ]; then
        . /etc/rc.conf
fi

###############
# Set quiet mode if requested
if [ "x$firewall_quiet" = "xYES" ]; then
        fwcmd="/sbin/ipfw -q"
else
        fwcmd="/sbin/ipfw"
fi

# Flush the list out before we begin
    $fwcmd -f flush

# Divert everything to NATD before it is processed by the rest
    $fwcmd add 100 divert natd log all from any to any via ep0

# Only in rare cases do you want to change these rules
    $fwcmd add 200 pass all from any to any via lo0
    $fwcmd add 300 deny all from any to 127.0.0.0/8

# set these to your outside interface network and netmask and ip
    oif="ep0"
    onet="888.166.82.120"
    omask="255.255.255.248"
    oip="888.166.82.122"

# set these to your inside interface network and netmask and ip
    iif="ep1"
    inet="172.16.0.0"
    imask="255.255.255.0"
    iip="172.16.0.1"

# Stop spoofing attempts
    $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
    $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}

# Disallow ICMP
    $fwcmd add deny log icmp from any to any

# Allow anything into the internal or out the external interface
# This was put here as a last ditch. I dont think its needed, but hey..
    $fwcmd add pass log all from any to any in via ${iif}
    $fwcmd add pass log all from any to any out via ${oif}

# Allow TCP through if setup succeeded
    $fwcmd add pass log tcp from any to any established

# Allow setup of incoming and outgoing FTP
    $fwcmd add pass log tcp from any to ${oip} 21 setup

# Allow setup of incoming SSH
    $fwcmd add pass log tcp from any to ${oip} 22 setup

# Allow setup of incoming email (smtp)
    $fwcmd add pass log tcp from any to ${oip} 25 setup

# Allow setup of incoming email (pop3)
    $fwcmd add pass log tcp from any to ${oip} 110 setup

# Allow access to our DNS
    $fwcmd add pass tcp from any to ${oip} 53 setup

# Allow access to our WWW
    $fwcmd add pass tcp from any to ${oip} 80 setup

# Reject&Log all setup of incoming connections from the outside
    $fwcmd add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
    $fwcmd add pass tcp from any to any setup

# Allow DNS queries out in the world
    $fwcmd add pass udp from any 53 to ${oip}
    $fwcmd add pass udp from ${oip} to any 53

# Allow NTP queries out in the world
    $fwcmd add pass udp from any 123 to ${oip}
    $fwcmd add pass udp from ${oip} to any 123

# This was put here to log denials for debugging purposes
    $fwcmd add 65000 deny log all from any to any

# Everything else is denied as default.
#
END----/etc/rc.firewall


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?070701bdfbce$1848c960$28735286>