Date: Tue, 27 Apr 2004 11:07:20 -0500 From: "Andrew L. Gould" <algould@datawok.com> To: freebsd-questions@freebsd.org Subject: firewall and dmz questions - long Message-ID: <200404271107.20325.algould@datawok.com>
next in thread | raw e-mail | index | archive | help
Background:
1. I have an old computer (hostname = dmz) running FreeBSD 5.2.1 behind
a Linksys cable modem/router. The router is configured to use this old
computer as a dmz server so that all service requests from the outside
world are forwarded to dmz.
2. I have a registered domain name and an account with dyndns so that
dmz should be reachable, despite a dynamic IP address assigned by the
ISP.
3. Apache2 is configured to listen for SSL connections on port 443. I
commented out "Listen 80" in /usr/local/etc/apache2/httpd.conf; so that
all web connections will occur via SSL.
5. The firewall is enabled in rc.conf:
portmap_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
4. dmz's firewall is configured to allow all outgoing traffic, incoming
traffic for established connections, ssh, ntp, ssl (with setup),
postgresql (with setup), dns, icmp, auth (for irc) and all traffic from
the internal network. The contents of /etc/ipfw.rules is included
below.
Problem:
When I use the firewall, I can access my web server with ssl from my
internal network; but not from the external world. I know the ISP
isn't blocking the ports because I can reach them from the outside
world if I use the /etc/rc.firewall script with firewall type "open".
Am I missing something in the firewall script? Here's the firewall
script:
##Begin firewall script
#!/bin/sh
# Andrew L. Gould's firewall rules.
fwcmd="/sbin/ipfw -q"
ip="192.168.63.9"
mask="255.255.255.0"
net="192.168.63.0"
${fwcmd} -f flush
# Basic rules that should not be changed
${fwcmd} add 00100 pass all from any to any via lo0
${fwcmd} add 00110 deny all from any to 127.0.0.0/8
${fwcmd} add 00120 deny ip from 127.0.0.0/8 to any
# Allow all traffic within local network
${fwcmd} add 00200 allow all from ${ip} to ${net}:${mask}
${fwcmd} add 00201 allow all from ${net}:${mask} to ${ip}
# Allow TCP connections that were initiated locally
${fwcmd} add 00210 check-state
${fwcmd} add 00211 pass tcp from any to any in established
${fwcmd} add 00212 allow tcp from any to any out setup keep-state
# Allow IP fragments
${fwcmd} add 00213 pass all from any to any frag
# Allow specified service requests in
# ssh
${fwcmd} add 00300 allow tcp from any to me 22
${fwcmd} add 00301 allow tcp from me 22 to any
${fwcmd} add 00302 allow udp from any to me 22
${fwcmd} add 00303 allow udp from me 22 to any
# irc
${fwcmd} add 00305 allow tcp from any to me 194
${fwcmd} add 00306 allow tcp from me 194 to any
${fwcmd} add 00307 allow udp from any to me 194
${fwcmd} add 00308 allow udp from me 194 to any
# auth (ident)
${fwcmd} add 00310 allow tcp from any to me 113
${fwcmd} add 00311 allow tcp from me 113 to any
${fwcmd} add 00312 allow udp from any to me 113
${fwcmd} add 00313 allow udp from me 113 to any
# WWW
${fwcmd} add 00350 allow tcp from any 443 to any
${fwcmd} add 00351 allow tcp from any to me 443 setup
#${fwcmd} add 00352 allow tcp from any 80 to any
#${fwcmd} add 00353 allow tcp from any to any 80 setup
${fwcmd} add 00355 allow udp from any 443 to any
${fwcmd} add 00356 allow udp from any to me 443
#${fwcmd} add 00357 allow udp from any 80 to any
#${fwcmd} add 00358 allow udp from any to any 80
# PostgreSQL
${fwcmd} add 00360 allow tcp from any 5432 to any
${fwcmd} add 00361 allow tcp from any to me 5432 setup
${fwcmd} add 00362 allow udp from any 5432 to any
${fwcmd} add 00363 allow udp from any to me 5432
# Allow DNS and DHCP activities
${fwcmd} add 00500 allow udp from any 53 to any in recv xl0
${fwcmd} add 00501 allow udp from any 67 to any 68 in recv xl0
${fwcmd} add 00502 allow udp from any to any out
# Allow ICMP activities
${fwcmd} add 00600 allow icmp from any to any icmptype 0
${fwcmd} add 00601 allow icmp from any to any icmptype 3
${fwcmd} add 00602 allow icmp from any to any icmptype 4
${fwcmd} add 00603 allow icmp from any to any icmptype 8
${fwcmd} add 00604 allow icmp from any to any icmptype 11 in
# Allow NTP transactions
${fwcmd} add 00610 allow tcp from me to any 123
${fwcmd} add 00611 allow tcp from any 123 to me
${fwcmd} add 00612 allow udp from any 123 to me
#${fwcmd} add 00613 allow udp from me 123 to any
#${fwcmd} add 65535 deny all from any to any
##end of firewall script
Any advice would be appreciated.
Thanks,
Andrew Gould
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404271107.20325.algould>