Date: Tue, 8 Dec 1998 03:09:26 -0500 From: Mark Mayo <mark@vmunix.com> To: questions@FreeBSD.ORG Subject: NATD + firewall - I'm stumped.. Message-ID: <19981208030926.A25214@vmunix.com>
next in thread | raw e-mail | index | archive | help
Hi all. I've been trying to get what I thought would be a trivial
gateway to the net setup. I have a very simple setup - a P133 with
two interface: ed1 and de0
ed1 is plugged into my cable modem with a static IP - 24.112.137.146
de0 is plugged into my hub on the internal network - 192.168.4.1
Naturally, I want my internal machines on the 192.168.4.1/24 network
to be able to use the FreeBSD box as their NAT gateway. This is a
3.0-RELEASE box, with IPDIVERT, IPFIREWALL kernel options. GATEWAY=YES
Using a very simple ruleset like:
/sbin/ipfw add divert natd all from any to any via ed1
/sbin/ipfw add 100 pass all from any to any via lo0
/sbin/ipfw add 200 deny all from any to 127.0.0.0/8
/sbin/ipfw add 65000 pass all from any to any
Accompanied by "natd -n ed1" works nicely, and the NAT functions.
The actual NAT box can get to both networks fine, and the internal
machines also get access as expected. Naturally, I'd like to give
a little more protection to the "router" box, but as soon as I try
to do anything without the "add 65000 pass all from any to any" rule
NAT just doesn't seem to want to go. Obviously, I'm doing something wrong
and missing some key fundamental here, but no matter how many ways I
play with the rules it beats me everytime. Using the ruleset below, which
makes sense at least in my mind, I can get to the point where the router
is open on the inside, and from the actual router I can make connections
to the outsid world just fine, and incoming connections are rejected.
In short everything is just how I'd like and expect it to be,
with the one notable exception that packets simply aren't getting
through the NAT part so my internal machines can't get to the internet.
the "65534 deny all from any to any" ruleset is killing the packets..
I'm stumped. What do I need to get this thing running correctly? :-)
TIA to anyone that can lift my ignorance..
-Mark
#---------------------------------------------------------------------
# Firewall by Mark...
# summary: allow all traffic on the inside net, block nearly all
# incoming traffic on the outside interface (internet), do NAT for
# internal machine to access internet
#
# inside interface: de0
# outside interfance: ed1
# outside and inside IPs
oip="24.112.137.146"
iip="192.168.4.1"
/sbin/ipfw -f flush
# Allow NAT to examine packets first
/sbin/ipfw add divert natd all from any to any via ed1
# Setup loopback interface + interior interface
/sbin/ipfw add 100 pass all from any to any via lo0
/sbin/ipfw add 200 deny all from any to 127.0.0.0/8
# Stop RFC1918 nets on the outside interface
/sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ed1
/sbin/ipfw add deny all from any to 192.168.0.0:255.255.0.0 via ed1
/sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ed1
/sbin/ipfw add deny all from any to 172.16.0.0:255.240.0.0 via ed1
/sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ed1
/sbin/ipfw add deny all from any to 10.0.0.0:255.0.0.0 via ed1
# Allow all traffic to pass - i.e. open the door!
#/sbin/ipfw add 65000 pass all from any to any
# Allow established connections through (i.e. setup from the inside)
# TCP goes through if setup succeeded
/sbin/ipfw add pass all from any to any out xmit ed1
/sbin/ipfw add pass tcp from any to any established
# Allow traffic on my own net
/sbin/ipfw add pass all from 192.168.4.0/24 to ${iip}
/sbin/ipfw add pass all from ${iip} to 192.168.4.0/24
# Allow access to my SSH port for remote access
/sbin/ipfw add pass tcp from any to ${oip} 22 setup
# Reset connections on the ident ports to prevent timeouts
/sbin/ipfw add reset tcp from any to ${oip} 113
# Reject & Log all setup of incoming connections from the outside
#/sbin/ipfw add deny log tcp from any to any in via ed1 setup
#/sbin/ipfw add deny log tcp from any to any in recv ed1 setup
/sbin/ipfw add deny log tcp from any to ${oip} setup
# Allow DNS queries out into the world
/sbin/ipfw add pass udp from any 53 to ${oip}
/sbin/ipfw add pass udp from ${oip} to any 53
# Everything else is denied by default
--
------------------------------------------------------------------------
Mark Mayo mark@vmunix.com
RingZero Comp. http://www.vmunix.com/mark
------------------------------------------------------------------------
"The Church says the earth is flat. But I know it's round, for I have
seen the shadow on the moon. And I have more faith in a shadow than
in the Church." - Ferdinand Magellan
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981208030926.A25214>