Date: 23 Nov 99 09:16:28 EST From: Tom parquette <tparquet@netscape.net> To: freebsd-questions@freebsd.org Subject: Stumped setting up NATD and firewall support Message-ID: <19991123141628.9875.qmail@wwcst088.netaddress.usa.net>
next in thread | raw e-mail | index | archive | help
Hi,
I'm new to FreeBSD and I have not worked with UNIX before so I've had some
sucesses and lots of learning experiences. NATD now has me sumped.
I am trying to convince my wife and talk my manager into allowing me to
replace the company provided analog phone line with Road Runner. Before I
can comfortably do that, I want to put up a firewall/NATD machine. In other
words, protect my infant home network.
Before someone says something, all of the hardware and networks described do
not leave my den. I'm using the 24.0.0.0 network because I know Time Warner
uses it in this area and I want to simulate the production environment.
Test environment:
I have my initial FreeBSD machine (called Upstream) simulating the road
Runner network (address 24.0.0.1), connected via a 10base-T crossover
cable to my firewall/NATD machine, called Cerberus, which has DHCPC running
on the ep0 interface. Upstream is running DHCPS and correctly assigns
24.0.0.11 as the IP address. Pings in both directions work as expected.
On the 'inside' of my firewall I have two 10Base-2 segments.
192.168.0.0/255.255.255.224 (ep1) and 192.168.0.32/255.255.255.224 (ep2).
The ep1 and ep2 interfaces are set up for DHCPS. Both segments assign
addresses as expected and pings in both directions work as expected. (I can
only test with my OS/2 Warp V4 laptop due to lack of PCs. In other words, I
cannot ping from an address on ep1 to an address on ep2.) For the rest of
this example I will use 192.168.0.11 as the laptop address.
From my laptop I can ping 192.168.0.1 (Cerberus' ep1) and I can ping
24.0.0.11 (Cerberus' DHCP assigned ep0 address.) I cannot ping 'Upstream'
unless I manually add a route to 192.168.0.0 using 24.0.0.11 as the next hop.
Once I manually add the route, pings work in both directions.
All of this is done with NATD active and the firewall set to 'open'.
The problem:
All the pings are rejected with the firewall set to 'simple'. I already know
I have rules that I have to work on. My goal right now is to get the NATD
code working. Based on my work to date, it appears that NATD is not changing
the IP addresses. (e.g. Having to manually add the 192.160.0.0 route.)
I have reviewed IP aliasing in V3 of The Complete FreeBSD and the NATD man
page. I also searched the web site and I didn't find anything that helped
me.
No errors appear in /var/log/messages and /etc/alias.log is empty. When I
issue natd -verbose -config /etc/natd.conf from root's command line, nothing
is displayed. When I allow the rc scripts to bring the machine up, something
flashes by that looks like it might be command syntax (similar to the
response you get sometimes when you mumblefinger a command line parm.) It
goes by too fast to read. Again, nothing appears in the logs that I can
find.
I'm attaching what I believe to be all the associated files.
Any help would be appreciated.
Cheers...
Tom
*** Start of configuration files ***
My /ETC/NATD.CONF file:
# /etc/natd.conf
log yes
deny_incoming yes
log_denied yes
dynamic yes
interface ep0
My /ETC/RC.FIREWALL file:
# /etc/rc.firewall
if [ -f /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
elif [ -f /etc/rc.conf ]; then
. /etc/rc.conf
fi
#
if [ "x$1" != "x" ]; then
firewall_type=$1
fi
#
if [ "x$firewall_quiet" = "xYES" ]; then
fwcmd="/sbin/ipfw -q"
else
fwcmd="/sbin/ipfw"
fi
#
$fwcmd -f flush
#
if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
$fwcmd add divert natd all from any to any via ${natd_interface}
fi
#
if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then
$fwcmd add 65000 pass all from any to any
elif [ "${firewall_type}" = "simple" ]; then
############
# This is a prototype setup for a simple firewall. Configure this machine
# as a named server and ntp server, and point all the machines on the
inside
# at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="ep0"
onet="24.0.0.0"
omask="255.000.000.000"
oip="10.0.0.11"
# set these to your inside interface network and netmask and ip
#
# ep1 (internal segment 1 (subnet 0))
iif1="ep1"
inet1="192.168.0.0"
imask1="255.255.255.224"
iip1="192.168.0.1"
#
# ep2 (internal segment 2 (subnet 1))
iif2="ep2"
inet2="192.168.0.32"
imask2="255.255.255.224"
iip2="192.168.0.33"
# Stop spoofing
$fwcmd add deny all from ${inet1}:${imask1} to any in via ${oif}
$fwcmd add deny all from ${inet2}:${imask2} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif1}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif2}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow setup of incoming email
$fwcmd add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
$fwcmd add pass tcp from any to ${oip} 80 setup
# Reject & Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
# Everything else is denied as default.
elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
$fwcmd ${firewall_type}
fi
My /ETC/RC.CONF file:
# This file now contains just the overrides from /etc/defaults/rc.conf
# please make all changes to this file.
firewall_enable="YES"
firewall_quiet="YES"
firewall_type="simple"
natd_enable="NO"
natd_interface="-config /etc/natd.conf"
gateway_enable="YES"
nfs_client_enable="YES"
network_interfaces="ep1 ep2 lo0"
ifconfig_ep1="inet 192.168.0.1 netmask 255.255.255.224"
ifconfig_ep2="inet 192.168.0.34 netmask 255.255.255.224"
hostname="Cerberus.Parquette.Baldwinsville.NY.US"
ntpdate_flags="otc1.psu.edu"
ntpdate_enable="NO"
sendmail_enable="NO"
named_enable="YES"
saver="logo"
The output from a NETSTAT -RN command:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 24.0.0.1 UGSc 13 0 ep0
24/24 link#2 UC 0 0 ep0
24.0.0.1 link#2 UHLW 14 38 ep0
localhost localhost UH 0 27 lo0
192.168/27 link#3 UC 0 0 ep1
192.168.0.32/27 link#4 UC 0 0 ep2
*** End of configuration files ***
"Do or do not. Is no Try"--Yoda.
"Friends come and go but enemies accumulate."--me.
____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991123141628.9875.qmail>