Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 9 Jul 2001 01:14:01 -0400
From:      "Klik" <klik@unstable.org>
To:        <freebsd-security@freebsd.org>
Subject:   Re: ipfw + natd woes
Message-ID:  <001101c10835$f7e8c2c0$34df7ad1@unstable.org>
References:  <001401c10822$99f27ac0$34df7ad1@unstable.org>

next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.

------=_NextPart_000_000E_01C10814.6FEDAD20
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Here is some more info in the setup,sorry about the incomplete post...

extra kernel options:
options         IPDIVERT
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         DUMMYNET

results of netstat -nr:
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif =
Expire
default            216.164.28.1       UGSc        5  8604782    rl0
127.0.0.1          127.0.0.1          UH          0       54    lo0
192.168.1          link#3             UC          3        0    ed1
192.168.1.3        0:40:33:d2:1f:9d   UHLW        2  3201858    ed1     =
17
192.168.1.255      ff:ff:ff:ff:ff:ff  UHLWb       0      791    ed1
216.164.28/23      link#1             UC          2        0    rl0
216.164.28.1       0:30:94:a8:eb:54   UHLW        3        0    rl0    =
497
216.164.29.255     ff:ff:ff:ff:ff:ff  UHLWb       0     2363    rl0=20

# firewall ruleset

#!/bin/sh

/sbin/ipfw add permit tcp from any 21 to any established in
/sbin/ipfw add permit tcp from any 21 to any setup out
/sbin/ipfw add permit tcp from any 22 to any established in
/sbin/ipfw add permit tcp from any 22 to any setup out=20
/sbin/ipfw add permit tcp from any 25 to any established in=20
/sbin/ipfw add permit tcp from any 25 to any setup out
/sbin/ipfw add permit tcp from any 53 to any established in
/sbin/ipfw add permit tcp from any 53 to any setup out=20
/sbin/ipfw add permit tcp from any 80 to any established in=20
/sbin/ipfw add permit tcp from any 80 to any setup out=20
/sbin/ipfw add permit tcp from any 110 to any established in=20
/sbin/ipfw add permit tcp from any 110 to any setup out=20
/sbin/ipfw add permit tcp from any 113 to any established in=20
/sbin/ipfw add permit tcp from any 113 to any setup out=20
/sbin/ipfw add permit tcp from any 123 to any established in
/sbin/ipfw add permit tcp from any 123 to any setup out
/sbin/ipfw add permit tcp from any 143 to any established in
/sbin/ipfw add permit tcp from any 143 to any setup out

I tried all of these with outthe 'established' and 'setup' - no change

# Stop RFC1918 nets on the outside interface
/sbin/ipfw add 97 deny all from 10.0.0.0/8 to any in via rl0
/sbin/ipfw add 97 deny all from any to 10.0.0.0/8 in via rl0
/sbin/ipfw add 97 deny all from 172.16.0.0/12 to any in  via rl0
/sbin/ipfw add 97 deny all from any to 172.16.0.0/12 in via rl0
/sbin/ipfw add 97 deny all from 192.168.0.0/16 to any in via rl0
/sbin/ipfw add 97 deny all from any to 192.168.0.0/16 in via rl0

#nat line
/sbin/ipfw add divert natd all from any to any via rl0

/etc/rc.conf:
network_interfaces=3D"rl0 ed1 lo0"
ifconfig_rl0=3D"DHCP"
ifconfig_ed1=3D"inet 192.168.1.1 netmask 255.255.255.0"
gateway_enable=3D"YES"

natd: flags:=20
-m: Allocate a socket(2) in order to establish an FTP data or IRC DCC =
send connection.
-s: Try to keep the same port number when altering outgoing packets.
  ----- Original Message -----=20
  From: Klik=20
  To: freebsd-security@freebsd.org=20
  Sent: Sunday, July 08, 2001 10:55 PM
  Subject: ipfw + natd woes


  Hello,

  I'm having trouble setting up my ipfw firewall with a default rule of =
deny while using natd.. My setup is as follow:

  Cablemodem--> nic1--| FreeBSD box |--nic2--> HUB

  natd flags:  -m -s -n nic1

  If I remove the 'allow ip from any to any' rule and add bunch of =
permit statements for DNS, HTTP, IRC, etc..  The packets will only go to =
the FreeBSD machine. None of the machines on the local network are able =
to access the outside world.  I've read the past threads about ipfw and =
natd, the natd and ipfw man pages ...I'm about to pull my hair out

  Any help would be greatly appreciated
  Greg

------=_NextPart_000_000E_01C10814.6FEDAD20
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4207.2601" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Here is some more info in the =
setup,sorry about the=20
incomplete post...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>extra kernel options:</FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>options&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
IPDIVERT<BR>options&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
IPFIREWALL<BR>options&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
IPFIREWALL_VERBOSE<BR>options&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;=20
DUMMYNET</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>results of netstat -nr:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Routing tables</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial=20
size=3D2>Internet:<BR>Destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;=20
Gateway&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
=20
Flags&nbsp;&nbsp;&nbsp; Refs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use&nbsp; =
Netif=20
Expire<BR>default&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;=20
216.164.28.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
UGSc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp; =
8604782&nbsp;&nbsp;&nbsp;=20
rl0<BR>127.0.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
127.0.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
UH&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 54&nbsp;&nbsp;&nbsp;=20
lo0<BR>192.168.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
link#3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;=20
UC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;=20
ed1<BR>192.168.1.3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
0:40:33:d2:1f:9d&nbsp;&nbsp; =
UHLW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
2&nbsp; 3201858&nbsp;&nbsp;&nbsp; ed1&nbsp;&nbsp;&nbsp;&nbsp;=20
17<BR>192.168.1.255&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
ff:ff:ff:ff:ff:ff&nbsp;=20
UHLWb&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
791&nbsp;&nbsp;&nbsp; ed1<BR>216.164.28/23&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =

link#1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;=20
UC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;=20
rl0<BR>216.164.28.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
0:30:94:a8:eb:54&nbsp;&nbsp; =
UHLW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;=20
rl0&nbsp;&nbsp;&nbsp; 497<BR>216.164.29.255&nbsp;&nbsp;&nbsp;&nbsp;=20
ff:ff:ff:ff:ff:ff&nbsp; UHLWb&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
0&nbsp;&nbsp;&nbsp;&nbsp; 2363&nbsp;&nbsp;&nbsp; rl0</FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2># firewall ruleset</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#!/bin/sh</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>/sbin/ipfw add&nbsp;permit tcp from any =
21 to any=20
established in<BR>/sbin/ipfw add permit tcp from any 21 to any setup=20
out<BR>/sbin/ipfw add permit tcp from any 22 to any established =
in<BR>/sbin/ipfw=20
add permit tcp from any 22 to any setup out <BR>/sbin/ipfw add permit =
tcp from=20
any 25 to any established in <BR>/sbin/ipfw add permit tcp from any 25 =
to any=20
setup out<BR>/sbin/ipfw add permit tcp from any 53 to any established=20
in<BR>/sbin/ipfw add&nbsp;permit tcp from any 53 to any setup out =
<BR>/sbin/ipfw=20
add permit tcp from any 80 to any established in <BR>/sbin/ipfw add =
permit tcp=20
from any 80 to any setup out <BR>/sbin/ipfw add permit tcp from any 110 =
to any=20
established in <BR>/sbin/ipfw add permit tcp from any 110 to any setup =
out=20
<BR>/sbin/ipfw add permit tcp from any 113 to any established in =
<BR>/sbin/ipfw=20
add permit tcp from any 113 to any setup out <BR>/sbin/ipfw add permit =
tcp from=20
any 123 to any established in<BR>/sbin/ipfw add permit tcp from any 123 =
to any=20
setup out<BR>/sbin/ipfw add permit tcp from any 143 to any established=20
in<BR>/sbin/ipfw add permit tcp from any 143 to any setup =
out<BR></FONT><FONT=20
face=3DArial size=3D2></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I tried all of these with outthe =
'established' and=20
'setup' - no change</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2># Stop RFC1918 nets on the outside=20
interface<BR>/sbin/ipfw add 97 deny all from 10.0.0.0/8 to any in via=20
rl0<BR>/sbin/ipfw add 97 deny all from any to 10.0.0.0/8 in via=20
rl0<BR>/sbin/ipfw add 97 deny all from 172.16.0.0/12 to any in&nbsp; via =

rl0<BR>/sbin/ipfw add 97 deny all from any to 172.16.0.0/12 in via=20
rl0<BR>/sbin/ipfw add 97 deny all from 192.168.0.0/16 to any in via=20
rl0<BR>/sbin/ipfw add 97 deny all from any to 192.168.0.0/16 in via=20
rl0<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>#nat line</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>/sbin/ipfw add divert natd all from any =
to any via=20
rl0</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>/etc/rc.conf:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>network_interfaces=3D"rl0 ed1=20
lo0"<BR>ifconfig_rl0=3D"DHCP"<BR>ifconfig_ed1=3D"inet 192.168.1.1 =
netmask=20
255.255.255.0"</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>gateway_enable=3D"YES"</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial><FONT size=3D2>natd: flags: </FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT size=3D2>-m: Allocate a socket(2) in order =
to=20
establish an FTP data or IRC </FONT></FONT><FONT face=3DArial><FONT =
size=3D2>DCC=20
send connection.</FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT size=3D2>-s: Try to keep the same port =
number when=20
altering outgoing packets.</FONT></DIV></FONT>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3Dklik@unstable.org =
href=3D"mailto:klik@unstable.org">Klik</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dfreebsd-security@freebsd.org=20
  =
href=3D"mailto:freebsd-security@freebsd.org">freebsd-security@freebsd.org=
</A>=20
  </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Sunday, July 08, 2001 =
10:55=20
PM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> ipfw + natd woes</DIV>
  <DIV><FONT face=3DArial size=3D2></FONT><FONT face=3DArial =
size=3D2></FONT><FONT=20
  face=3DArial size=3D2></FONT><FONT face=3DArial size=3D2></FONT><FONT =
face=3DArial=20
  size=3D2></FONT><FONT face=3DArial size=3D2></FONT><FONT face=3DArial=20
  size=3D2></FONT><FONT face=3DArial size=3D2></FONT><FONT face=3DArial=20
  size=3D2></FONT><FONT face=3DArial size=3D2></FONT><FONT face=3DArial=20
  size=3D2></FONT><FONT face=3DArial size=3D2></FONT><FONT face=3DArial=20
  size=3D2></FONT><BR></DIV>
  <DIV><FONT face=3DArial size=3D2>Hello,</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>I'm having trouble setting up my ipfw =
firewall=20
  with a default rule of deny while using natd.. My setup is as=20
  follow:</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>Cablemodem--&gt; nic1--| FreeBSD box=20
  |--nic2--&gt; HUB</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>natd flags:&nbsp; -m </FONT><FONT =
face=3DArial=20
  size=3D2>-s -n nic1</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>If I remove the 'allow ip from any to =
any' rule=20
  and add bunch of permit statements for DNS, HTTP, IRC, =
etc..&nbsp;&nbsp;The=20
  packets will only go to the&nbsp;FreeBSD machine.&nbsp;N</FONT><FONT=20
  face=3DArial size=3D2>one of the machines on the local network are =
able to access=20
  the outside world.&nbsp; I've read the past threads about ipfw and =
natd,=20
  the&nbsp;natd and&nbsp;ipfw man pages ...I'm about to pull my hair=20
  out</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>Any help would be greatly&nbsp;<FONT=20
  face=3D"Times New Roman" size=3D3>appreciated</FONT></FONT></DIV>
  <DIV>Greg</DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_000E_01C10814.6FEDAD20--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001101c10835$f7e8c2c0$34df7ad1>