Date: Sun, 10 Jun 2001 10:22:22 -0700 From: "Dave Atkins" <dave@atkinshome.com> To: <freebsd-questions@FreeBSD.ORG> Subject: RE: simple firewall is too restrictive - what have I misconfigured? Message-ID: <001101c0f1d1$e9b891a0$0300a8c0@dave> In-Reply-To: <000701c0f077$1e6342d0$0300a8c0@dave>
next in thread | previous in thread | raw e-mail | index | archive | help
I found a lot of information, but not a specific answer to my question. 1) apparently, there is a bug in the rc.firewall script that installs with FreeBSD. I found something at http://www.mostgraveconcern.com/freebsd/sheet.cgi?ipfw which gave me a script that I was able to use, which worked, but they didn't really explain the problem. I found other discussions of this "simple" firewall problem which said there was a fix on the freeBSD site (where?) but then people said this made you vulnerable to spoofing. I don't know. 2) I found an awesome article--the closest thing I have found yet to a complete howto on the process of setting up a firewall, authored by Renaud Waldura, and cached by Google. Cached because Renaud's website is gone now! That article had a link to the complete set of firewall rules he used...but the link did not work and was not cached. Here is the link (in case the site comes back: http://renaud.waldura.com/doc/freebsd/firewall/ Here is the cached version: http://www.google.com/search?q=cache:ddA-praGpR4:renaud.waldura.com/doc/free bsd/firewall/+freebsd+firewall+configuration&hl=en Bottom line is that ifpw works as advertised and the only way to make it do what you want is to really learn everything about it, then write your own firewall script. I guess that is reasonable. Oh, yeah, the other alternative is to buy a piece of crap like a "Netwinder" or a "home router", then discover that it doesn't really do Network Address Translation - only IP Masquerading or Port Forwarding. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Dave Atkins Sent: Friday, June 08, 2001 5:00 PM To: freebsd-questions@FreeBSD.ORG Subject: simple firewall is too restrictive - what have I misconfigured? I have installed the latest version (4.3-RELEASE) of FreeBSD on an old P100 box to serve as a firewall and gateway for my internal home network (DSL). I have a set of 6 IP addresses here, but I want to put all the machines behind the firewall, then open selective ports and IP aliases to internal servers which include mail, www, and DNS. I successfully set up nat and my internal network using the "open" firewall type. When I edit rc.firewall to specify my internal and external interfaces, then rc.conf to use firewall type simple, then reboot, I lose the ability to do anything from inside my network. I get lots of messages from ipfw that say failed to write packet back 162 permission denied. This happens while booting (as the inetd daemons are starting) and when I try to telnet from the firewall machine. If I go back to "open" firewall, everything works fine. At the risk of prostrating myself before the world, I am including the following detailed configuratino information in the hopes that someone can help... 1. First thing I did was add two lines to a custom kernel config and recompile the kernel: options IPFIREWALL options IPDIVERT 2. next, I modify rc.conf (this includes changes to enable IP mapping): # please make all changes to this file. defaultrouter="64.121.139.65" gateway_enable="YES" hostname="jen.atkinshome.com" network_interfaces="dc0 dc1" #dc0 is internal, dc1 is external ifconfig_dc1_alias0="inet 64.121.139.68 netmask 255.255.255.248" #this is a webserver on my internal network, NATed to be visible from the outside ifconfig_dc1_alias1="inet 64.121.139.66 netmask 255.255.255.248" #this is the firewall address ifconfig_dc0="inet 192.168.0.1 netmask 255.255.255.0" #this is the firewall again, the internal interface inetd_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" moused_enable="YES" sendmail_enable="YES" sshd_enable="YES" usbd_enable="YES" firewall_enable="YES" firewall_type="open" firewall_quiet="NO" natd_enable="YES" natd_interface="dc1" natd_flags="-redirect_address 192.168.0.2 64.121.139.68 -interface dc1" #this achieves the desired network address translation for the internal webserver So far, this works fine...if you go to http://64.121.139.68, for example, you get my internal webserver running on 192.168.0.2 and if you telnet to 64.121.139.66, you get the actual firewall. Obviously, this setup provides little or no more protection than just setting my webserver on the hub with the firewall machine...so I want to tighten things up on the firewall rules, and eventually, on the firewall machine itself (shut off telnet, etc.). So, I go to /etc/rc.firewall and make the following changes to specify my internal and external interfaces: # set these to your outside interface network and netmask and ip oif="dc1" onet="64.121.139.64" omask="255.255.255.248" oip="64.121.139.66" # set these to your inside interface network and netmask and ip iif="dc0" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.1" I was a little confused about the setting for "onet"--basically, I have the subnet from 64...64-71, so I'm assuming the .0/.248 combination is the way to mask it properly. My gateway/router at the ISP is 54.121.139.65...I have a slipstream 5250 bridge which is my connection over DSL to the ISP. Then, I edit rc.conf to say firewall_type="simple" and reboot. The resulting firewall rules after reboot are (ipfw list >file): 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.0.0/24 to any in recv dc1 00500 deny ip from 64.121.139.64/29 to any in recv dc0 00600 deny ip from any to 10.0.0.0/8 via dc1 00700 deny ip from any to 172.16.0.0/12 via dc1 00800 deny ip from any to 192.168.0.0/16 via dc1 00900 deny ip from any to 0.0.0.0/8 via dc1 01000 deny ip from any to 169.254.0.0/16 via dc1 01100 deny ip from any to 192.0.2.0/24 via dc1 01200 deny ip from any to 224.0.0.0/4 via dc1 01300 deny ip from any to 240.0.0.0/4 via dc1 01400 divert 8668 ip from any to any via dc1 01500 deny ip from 10.0.0.0/8 to any via dc1 01600 deny ip from 172.16.0.0/12 to any via dc1 01700 deny ip from 192.168.0.0/16 to any via dc1 01800 deny ip from 0.0.0.0/8 to any via dc1 01900 deny ip from 169.254.0.0/16 to any via dc1 02000 deny ip from 192.0.2.0/24 to any via dc1 02100 deny ip from 224.0.0.0/4 to any via dc1 02200 deny ip from 240.0.0.0/4 to any via dc1 02300 allow tcp from any to any established 02400 allow ip from any to any frag 02500 allow tcp from any to 64.121.139.66 25 setup 02600 allow tcp from any to 64.121.139.66 53 setup 02700 allow udp from any to 64.121.139.66 53 02800 allow udp from 64.121.139.66 53 to any 02900 allow tcp from any to 64.121.139.66 80 setup 03000 deny log tcp from any to any in recv dc1 setup 03100 allow tcp from any to any setup 03200 allow udp from 64.121.139.66 to any 53 keep-state 03300 allow udp from 64.121.139.66 to any 123 keep-state 65535 deny ip from any to any That about covers it...looks to me like there are way too many deny rules up there and no allow from [internal] to any via dc1. Thanks! Dave Atkins dave@atkinshome.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001101c0f1d1$e9b891a0$0300a8c0>