Date: Tue, 5 Oct 1999 10:02:40 -0700 (PDT) From: "f.johan.beisser" <jan@caustic.org> To: Patrick Bihan-Faou <patrick@mindstep.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: default rc.firewall Message-ID: <Pine.BSF.4.05.9910050945160.41067-100000@pogo.caustic.org> In-Reply-To: <007b01bf0f43$1a125de0$190aa8c0@local.mindstep.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 5 Oct 1999, Patrick Bihan-Faou wrote:
> On that note, I don't really like the fact that you have to modify the
> "rc.firewall" script to set up even a "simple" firewall. I worked a bit on a
> new version of the "rc.firewall" script that takes all its configuration
> from variables that you set in rc.conf. I guess that the script does not
> qualify as simple anymore, but I think this is a bit cleaner. A couple of
> examples:
>
> We are using (like many other I guess) FreeBSD as a NAT gateway on a
> cable-modem connection. I modified the rc.firewall script to use variables
> such as:
i've found that the rc.firewall is not really nessassary for the NAT
gateways. basically, i set everything from the natd(8), and use the
rc.firewall for logging certain kinds of transactions, or bandwidth
control.
basically:
natd -interface fxp0 -deny_incoming -use_sockets -same_ports
if you need to map something back to an internal machine, you can set this
from the natd itself. check the man pages on natd(8).
<mild snippage>
>
> And it sets up the proper rules:
>
> ipfw add allow tcp from any to any 20 setup in recv $oif
> ipfw add allow tcp from any to $oip 80,21,20 setup in recv $oif
> ipfw add allow log tcp from any to $oip 22 setup in recv $oif
>
> Where $oif, $oip etc are recovered automatically from ifconfig.
>
> The other advantage is that when we get a new IP address through DHCP from
> our cable provider, we only need to re-run the rc.firewall script and all
> the rules are updated to match the new IP address.
natd(8) also supports DHCP assigned addresses, and you should just need to
let it negotiate the new IP. if you filter based off of the eathernet
connection (i.e. - fxp0) instead of the IP, you should be fine.
> I still need to clean up a few issues with my rc.firewall script, but
> overall I believe that it would be a great enhancement to the current
> distribution.
>
> Any thoughts ?
i consider FWing from NATd(8) a bit easier than using IPFW for it. the
NATd can do just about anything the IPFW can, but, it prefers to represent
the network. use the IPFW to prevent any kind of spoofing, incoming or
outgoing, and perhaps to filter out incoming ICMP (if you really want)
from unknown hosts. if you have more than one IP address inside the nat
that has to be represented by the natd, it can do it.
the trick with this, is that natd does allow certain kinds of incoming
connections, and it's not foolproof.
the simple changes to rc.firewall is that you will need to have
$fwcmd add divert natd ip from any to any via ${oif}
in your rc.firewall. it should be the first line in it. FBSD 3.3 has it in
there, and it takes the flags from rc.conf. the /etc/services line for it
exists aswell, making the natd port 8668.
anyhow, hope this helps..
-- jan
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9910050945160.41067-100000>