From owner-freebsd-security Tue Oct 5 10: 4: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [216.69.69.123]) by hub.freebsd.org (Postfix) with ESMTP id 54F1F14C29 for ; Tue, 5 Oct 1999 10:03:53 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.9.3/ignatz) with ESMTP id KAA78576; Tue, 5 Oct 1999 10:02:40 -0700 (PDT) Date: Tue, 5 Oct 1999 10:02:40 -0700 (PDT) From: "f.johan.beisser" To: Patrick Bihan-Faou Cc: freebsd-security@FreeBSD.ORG Subject: Re: default rc.firewall In-Reply-To: <007b01bf0f43$1a125de0$190aa8c0@local.mindstep.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 5 Oct 1999, Patrick Bihan-Faou wrote: > On that note, I don't really like the fact that you have to modify the > "rc.firewall" script to set up even a "simple" firewall. I worked a bit on a > new version of the "rc.firewall" script that takes all its configuration > from variables that you set in rc.conf. I guess that the script does not > qualify as simple anymore, but I think this is a bit cleaner. A couple of > examples: > > We are using (like many other I guess) FreeBSD as a NAT gateway on a > cable-modem connection. I modified the rc.firewall script to use variables > such as: i've found that the rc.firewall is not really nessassary for the NAT gateways. basically, i set everything from the natd(8), and use the rc.firewall for logging certain kinds of transactions, or bandwidth control. basically: natd -interface fxp0 -deny_incoming -use_sockets -same_ports if you need to map something back to an internal machine, you can set this from the natd itself. check the man pages on natd(8). > > And it sets up the proper rules: > > ipfw add allow tcp from any to any 20 setup in recv $oif > ipfw add allow tcp from any to $oip 80,21,20 setup in recv $oif > ipfw add allow log tcp from any to $oip 22 setup in recv $oif > > Where $oif, $oip etc are recovered automatically from ifconfig. > > The other advantage is that when we get a new IP address through DHCP from > our cable provider, we only need to re-run the rc.firewall script and all > the rules are updated to match the new IP address. natd(8) also supports DHCP assigned addresses, and you should just need to let it negotiate the new IP. if you filter based off of the eathernet connection (i.e. - fxp0) instead of the IP, you should be fine. > I still need to clean up a few issues with my rc.firewall script, but > overall I believe that it would be a great enhancement to the current > distribution. > > Any thoughts ? i consider FWing from NATd(8) a bit easier than using IPFW for it. the NATd can do just about anything the IPFW can, but, it prefers to represent the network. use the IPFW to prevent any kind of spoofing, incoming or outgoing, and perhaps to filter out incoming ICMP (if you really want) from unknown hosts. if you have more than one IP address inside the nat that has to be represented by the natd, it can do it. the trick with this, is that natd does allow certain kinds of incoming connections, and it's not foolproof. the simple changes to rc.firewall is that you will need to have $fwcmd add divert natd ip from any to any via ${oif} in your rc.firewall. it should be the first line in it. FBSD 3.3 has it in there, and it takes the flags from rc.conf. the /etc/services line for it exists aswell, making the natd port 8668. anyhow, hope this helps.. -- jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message