From owner-freebsd-security Sat Sep 8 22:14:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp02.mrf.mail.rcn.net (smtp02.mrf.mail.rcn.net [207.172.4.61]) by hub.freebsd.org (Postfix) with ESMTP id C06B637B409 for ; Sat, 8 Sep 2001 22:14:00 -0700 (PDT) Received: from 209-122-223-52.s2250.apx1.nyw.ny.dialup.rcn.com ([209.122.223.52] helo=confusion) by smtp02.mrf.mail.rcn.net with smtp (Exim 3.33 #10) id 15fwuq-0003aN-00 for freebsd-security@freebsd.org; Sun, 09 Sep 2001 01:13:57 -0400 Message-ID: <001101c10835$f7e8c2c0$34df7ad1@unstable.org> From: "Klik" To: References: <001401c10822$99f27ac0$34df7ad1@unstable.org> Subject: Re: ipfw + natd woes Date: Mon, 9 Jul 2001 01:14:01 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000E_01C10814.6FEDAD20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000E_01C10814.6FEDAD20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Here is some more info in the setup,sorry about the incomplete post... extra kernel options: options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options DUMMYNET results of netstat -nr: Routing tables Internet: Destination Gateway Flags Refs Use Netif = Expire default 216.164.28.1 UGSc 5 8604782 rl0 127.0.0.1 127.0.0.1 UH 0 54 lo0 192.168.1 link#3 UC 3 0 ed1 192.168.1.3 0:40:33:d2:1f:9d UHLW 2 3201858 ed1 = 17 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 0 791 ed1 216.164.28/23 link#1 UC 2 0 rl0 216.164.28.1 0:30:94:a8:eb:54 UHLW 3 0 rl0 = 497 216.164.29.255 ff:ff:ff:ff:ff:ff UHLWb 0 2363 rl0=20 # firewall ruleset #!/bin/sh /sbin/ipfw add permit tcp from any 21 to any established in /sbin/ipfw add permit tcp from any 21 to any setup out /sbin/ipfw add permit tcp from any 22 to any established in /sbin/ipfw add permit tcp from any 22 to any setup out=20 /sbin/ipfw add permit tcp from any 25 to any established in=20 /sbin/ipfw add permit tcp from any 25 to any setup out /sbin/ipfw add permit tcp from any 53 to any established in /sbin/ipfw add permit tcp from any 53 to any setup out=20 /sbin/ipfw add permit tcp from any 80 to any established in=20 /sbin/ipfw add permit tcp from any 80 to any setup out=20 /sbin/ipfw add permit tcp from any 110 to any established in=20 /sbin/ipfw add permit tcp from any 110 to any setup out=20 /sbin/ipfw add permit tcp from any 113 to any established in=20 /sbin/ipfw add permit tcp from any 113 to any setup out=20 /sbin/ipfw add permit tcp from any 123 to any established in /sbin/ipfw add permit tcp from any 123 to any setup out /sbin/ipfw add permit tcp from any 143 to any established in /sbin/ipfw add permit tcp from any 143 to any setup out I tried all of these with outthe 'established' and 'setup' - no change # Stop RFC1918 nets on the outside interface /sbin/ipfw add 97 deny all from 10.0.0.0/8 to any in via rl0 /sbin/ipfw add 97 deny all from any to 10.0.0.0/8 in via rl0 /sbin/ipfw add 97 deny all from 172.16.0.0/12 to any in via rl0 /sbin/ipfw add 97 deny all from any to 172.16.0.0/12 in via rl0 /sbin/ipfw add 97 deny all from 192.168.0.0/16 to any in via rl0 /sbin/ipfw add 97 deny all from any to 192.168.0.0/16 in via rl0 #nat line /sbin/ipfw add divert natd all from any to any via rl0 /etc/rc.conf: network_interfaces=3D"rl0 ed1 lo0" ifconfig_rl0=3D"DHCP" ifconfig_ed1=3D"inet 192.168.1.1 netmask 255.255.255.0" gateway_enable=3D"YES" natd: flags:=20 -m: Allocate a socket(2) in order to establish an FTP data or IRC DCC = send connection. -s: Try to keep the same port number when altering outgoing packets. ----- Original Message -----=20 From: Klik=20 To: freebsd-security@freebsd.org=20 Sent: Sunday, July 08, 2001 10:55 PM Subject: ipfw + natd woes Hello, I'm having trouble setting up my ipfw firewall with a default rule of = deny while using natd.. My setup is as follow: Cablemodem--> nic1--| FreeBSD box |--nic2--> HUB natd flags: -m -s -n nic1 If I remove the 'allow ip from any to any' rule and add bunch of = permit statements for DNS, HTTP, IRC, etc.. The packets will only go to = the FreeBSD machine. None of the machines on the local network are able = to access the outside world. I've read the past threads about ipfw and = natd, the natd and ipfw man pages ...I'm about to pull my hair out Any help would be greatly appreciated Greg ------=_NextPart_000_000E_01C10814.6FEDAD20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Here is some more info in the = setup,sorry about the=20 incomplete post...
 
extra kernel options:
options        =20 IPDIVERT
options        =20 IPFIREWALL
options        =20 IPFIREWALL_VERBOSE
options       &n= bsp;=20 DUMMYNET
 
results of netstat -nr:
Routing tables
 
Internet:
Destination      &nbs= p;=20 Gateway           = =20 Flags    Refs      Use  = Netif=20 Expire
default         &n= bsp; =20 216.164.28.1      =20 UGSc        5  = 8604782   =20 rl0
127.0.0.1         =20 127.0.0.1         =20 UH         =20 0       54   =20 lo0
192.168.1         =20 link#3           &= nbsp;=20 UC         =20 3        0   =20 ed1
192.168.1.3       =20 0:40:33:d2:1f:9d   = UHLW       =20 2  3201858    ed1    =20 17
192.168.1.255      = ff:ff:ff:ff:ff:ff =20 UHLWb       = 0     =20 791    ed1
216.164.28/23      = link#1           &= nbsp;=20 UC         =20 2        0   =20 rl0
216.164.28.1      =20 0:30:94:a8:eb:54   = UHLW       =20 3        0   =20 rl0    497
216.164.29.255    =20 ff:ff:ff:ff:ff:ff  UHLWb      =20 0     2363    rl0
 
 
# firewall ruleset
 
#!/bin/sh
 
/sbin/ipfw add permit tcp from any = 21 to any=20 established in
/sbin/ipfw add permit tcp from any 21 to any setup=20 out
/sbin/ipfw add permit tcp from any 22 to any established = in
/sbin/ipfw=20 add permit tcp from any 22 to any setup out
/sbin/ipfw add permit = tcp from=20 any 25 to any established in
/sbin/ipfw add permit tcp from any 25 = to any=20 setup out
/sbin/ipfw add permit tcp from any 53 to any established=20 in
/sbin/ipfw add permit tcp from any 53 to any setup out =
/sbin/ipfw=20 add permit tcp from any 80 to any established in
/sbin/ipfw add = permit tcp=20 from any 80 to any setup out
/sbin/ipfw add permit tcp from any 110 = to any=20 established in
/sbin/ipfw add permit tcp from any 110 to any setup = out=20
/sbin/ipfw add permit tcp from any 113 to any established in =
/sbin/ipfw=20 add permit tcp from any 113 to any setup out
/sbin/ipfw add permit = tcp from=20 any 123 to any established in
/sbin/ipfw add permit tcp from any 123 = to any=20 setup out
/sbin/ipfw add permit tcp from any 143 to any established=20 in
/sbin/ipfw add permit tcp from any 143 to any setup = out
I tried all of these with outthe = 'established' and=20 'setup' - no change
 
# Stop RFC1918 nets on the outside=20 interface
/sbin/ipfw add 97 deny all from 10.0.0.0/8 to any in via=20 rl0
/sbin/ipfw add 97 deny all from any to 10.0.0.0/8 in via=20 rl0
/sbin/ipfw add 97 deny all from 172.16.0.0/12 to any in  via = rl0
/sbin/ipfw add 97 deny all from any to 172.16.0.0/12 in via=20 rl0
/sbin/ipfw add 97 deny all from 192.168.0.0/16 to any in via=20 rl0
/sbin/ipfw add 97 deny all from any to 192.168.0.0/16 in via=20 rl0
#nat line
/sbin/ipfw add divert natd all from any = to any via=20 rl0
 
/etc/rc.conf:
network_interfaces=3D"rl0 ed1=20 lo0"
ifconfig_rl0=3D"DHCP"
ifconfig_ed1=3D"inet 192.168.1.1 = netmask=20 255.255.255.0"
gateway_enable=3D"YES"
 
natd: flags:
-m: Allocate a socket(2) in order = to=20 establish an FTP data or IRC DCC=20 send connection.
-s: Try to keep the same port = number when=20 altering outgoing packets.
----- Original Message -----
From:=20 Klik
Sent: Sunday, July 08, 2001 = 10:55=20 PM
Subject: ipfw + natd woes

Hello,
 
I'm having trouble setting up my ipfw = firewall=20 with a default rule of deny while using natd.. My setup is as=20 follow:
 
Cablemodem--> nic1--| FreeBSD box=20 |--nic2--> HUB
 
natd flags:  -m -s -n nic1
 
If I remove the 'allow ip from any to = any' rule=20 and add bunch of permit statements for DNS, HTTP, IRC, = etc..  The=20 packets will only go to the FreeBSD machine. None of the machines on the local network are = able to access=20 the outside world.  I've read the past threads about ipfw and = natd,=20 the natd and ipfw man pages ...I'm about to pull my hair=20 out
 
Any help would be greatly appreciated
Greg
------=_NextPart_000_000E_01C10814.6FEDAD20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message