Date: Mon, 16 Apr 2001 19:08:10 -0700 From: "Michael O'Henly" <michael@tenzo.com> To: freebsd-questions@freebsd.org Subject: ipfw vs. domestic tranquility... Message-ID: <01041619081002.21220@h24-69-46-74.gv.shawcable.net>
next in thread | raw e-mail | index | archive | help
I'm borrowed from several sources to cobble together a useful firewall with
NAT and it _almost_ works. ;-)
My FreeBSD box has two NICs: the external NIC is assigned an IP via DHCP and
the internal NIC I've aribitrarily assigned 192.168.0.1. There are two other
machines on the internal network.
I want my internal users to be able to do whatever they want, and external
users to be denied all access except for the services indicated in the script.
So far, the only way this is failing is that internal users can't communicate
with addresses out in the world. (Actually, I suspect they can send but not
receive.) This is leading to some domestic unrest -- especially since my
machine (the box that's acting as a gateway) has no trouble...
I've been fiddling with this thing for so long that my brain is turning to
mush. I'd be very grateful if you could scan it and share your impressions.
Thanks.
M.
-----[ snip ]-=----
[Tt][Ee][Nn][Zz][Oo])
##############
# Custom firewall
##############
# set these to your outside interface, network, netmask and ip
oif="rl0"
onet=`ifconfig rl0 | grep "inet " | awk '{print $2 "/23"}'`
omask="255.255.254.0"
oip=`ifconfig rl0 | grep "inet " | awk '{print $2}'`
# set these to your inside interface, network, netmask and ip
iif="xl0"
inet="192.168.0.1/24"
imask="255.255.255.0"
iip="192.168.0.1"
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow anything on the internal net
${fwcmd} add pass all from any to any via ${iif}
# Allow anything outbound from this net
${fwcmd} add pass all from ${onet}:${omask} to any out via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming ssh, mail, http, https
${fwcmd} add pass tcp from any to ${oip} 22 setup in via ${oif}
${fwcmd} add pass tcp from any to ${oip} 25 setup in via ${oif}
${fwcmd} add pass tcp from any to ${oip} 80 setup in via ${oif}
${fwcmd} add pass tcp from any to ${oip} 443 setup in via ${oif}
# Deny inbound auth and netbios without logging
${fwcmd} add deny tcp from any to ${oip} 113 setup in via ${oif}
${fwcmd} add deny tcp from any to ${oip} 139 setup in via ${oif}
# Deny some chatty UDP broadcast protocols without logging
${fwcmd} add deny udp from any 137 to any in via ${oif}
${fwcmd} add deny udp from any 138 to any in via ${oif}
${fwcmd} add deny udp from any 525 to any in via ${oif}
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from any 53 to ${oip}
${fwcmd} add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
${fwcmd} add pass udp from any 123 to ${oip}
${fwcmd} add pass udp from ${oip} to any 123
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
--
Michael O'Henly
TENZO Design
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01041619081002.21220>