Date: Mon, 9 Jul 2001 01:14:01 -0400 From: "Klik" <klik@unstable.org> To: <freebsd-security@freebsd.org> Subject: Re: ipfw + natd woes Message-ID: <001101c10835$f7e8c2c0$34df7ad1@unstable.org> References: <001401c10822$99f27ac0$34df7ad1@unstable.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Here is some more info in the setup,sorry about the incomplete post... extra kernel options: options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options DUMMYNET results of netstat -nr: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 216.164.28.1 UGSc 5 8604782 rl0 127.0.0.1 127.0.0.1 UH 0 54 lo0 192.168.1 link#3 UC 3 0 ed1 192.168.1.3 0:40:33:d2:1f:9d UHLW 2 3201858 ed1 17 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 0 791 ed1 216.164.28/23 link#1 UC 2 0 rl0 216.164.28.1 0:30:94:a8:eb:54 UHLW 3 0 rl0 497 216.164.29.255 ff:ff:ff:ff:ff:ff UHLWb 0 2363 rl0 # firewall ruleset #!/bin/sh /sbin/ipfw add permit tcp from any 21 to any established in /sbin/ipfw add permit tcp from any 21 to any setup out /sbin/ipfw add permit tcp from any 22 to any established in /sbin/ipfw add permit tcp from any 22 to any setup out /sbin/ipfw add permit tcp from any 25 to any established in /sbin/ipfw add permit tcp from any 25 to any setup out /sbin/ipfw add permit tcp from any 53 to any established in /sbin/ipfw add permit tcp from any 53 to any setup out /sbin/ipfw add permit tcp from any 80 to any established in /sbin/ipfw add permit tcp from any 80 to any setup out /sbin/ipfw add permit tcp from any 110 to any established in /sbin/ipfw add permit tcp from any 110 to any setup out /sbin/ipfw add permit tcp from any 113 to any established in /sbin/ipfw add permit tcp from any 113 to any setup out /sbin/ipfw add permit tcp from any 123 to any established in /sbin/ipfw add permit tcp from any 123 to any setup out /sbin/ipfw add permit tcp from any 143 to any established in /sbin/ipfw add permit tcp from any 143 to any setup out I tried all of these with outthe 'established' and 'setup' - no change # Stop RFC1918 nets on the outside interface /sbin/ipfw add 97 deny all from 10.0.0.0/8 to any in via rl0 /sbin/ipfw add 97 deny all from any to 10.0.0.0/8 in via rl0 /sbin/ipfw add 97 deny all from 172.16.0.0/12 to any in via rl0 /sbin/ipfw add 97 deny all from any to 172.16.0.0/12 in via rl0 /sbin/ipfw add 97 deny all from 192.168.0.0/16 to any in via rl0 /sbin/ipfw add 97 deny all from any to 192.168.0.0/16 in via rl0 #nat line /sbin/ipfw add divert natd all from any to any via rl0 /etc/rc.conf: network_interfaces="rl0 ed1 lo0" ifconfig_rl0="DHCP" ifconfig_ed1="inet 192.168.1.1 netmask 255.255.255.0" gateway_enable="YES" natd: flags: -m: Allocate a socket(2) in order to establish an FTP data or IRC DCC send connection. -s: Try to keep the same port number when altering outgoing packets. ----- Original Message ----- From: Klik To: freebsd-security@freebsd.org Sent: Sunday, July 08, 2001 10:55 PM Subject: ipfw + natd woes Hello, I'm having trouble setting up my ipfw firewall with a default rule of deny while using natd.. My setup is as follow: Cablemodem--> nic1--| FreeBSD box |--nic2--> HUB natd flags: -m -s -n nic1 If I remove the 'allow ip from any to any' rule and add bunch of permit statements for DNS, HTTP, IRC, etc.. The packets will only go to the FreeBSD machine. None of the machines on the local network are able to access the outside world. I've read the past threads about ipfw and natd, the natd and ipfw man pages ...I'm about to pull my hair out Any help would be greatly appreciated Greg [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 5.50.4207.2601" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial size=2>Here is some more info in the setup,sorry about the incomplete post...</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>extra kernel options:</FONT></DIV> <DIV><FONT face=Arial size=2>options IPDIVERT<BR>options IPFIREWALL<BR>options IPFIREWALL_VERBOSE<BR>options DUMMYNET</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>results of netstat -nr:</FONT></DIV> <DIV><FONT face=Arial size=2>Routing tables</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Internet:<BR>Destination Gateway Flags Refs Use Netif Expire<BR>default 216.164.28.1 UGSc 5 8604782 rl0<BR>127.0.0.1 127.0.0.1 UH 0 54 lo0<BR>192.168.1 link#3 UC 3 0 ed1<BR>192.168.1.3 0:40:33:d2:1f:9d UHLW 2 3201858 ed1 17<BR>192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 0 791 ed1<BR>216.164.28/23 link#1 UC 2 0 rl0<BR>216.164.28.1 0:30:94:a8:eb:54 UHLW 3 0 rl0 497<BR>216.164.29.255 ff:ff:ff:ff:ff:ff UHLWb 0 2363 rl0</FONT> </DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2># firewall ruleset</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>#!/bin/sh</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>/sbin/ipfw add permit tcp from any 21 to any established in<BR>/sbin/ipfw add permit tcp from any 21 to any setup out<BR>/sbin/ipfw add permit tcp from any 22 to any established in<BR>/sbin/ipfw add permit tcp from any 22 to any setup out <BR>/sbin/ipfw add permit tcp from any 25 to any established in <BR>/sbin/ipfw add permit tcp from any 25 to any setup out<BR>/sbin/ipfw add permit tcp from any 53 to any established in<BR>/sbin/ipfw add permit tcp from any 53 to any setup out <BR>/sbin/ipfw add permit tcp from any 80 to any established in <BR>/sbin/ipfw add permit tcp from any 80 to any setup out <BR>/sbin/ipfw add permit tcp from any 110 to any established in <BR>/sbin/ipfw add permit tcp from any 110 to any setup out <BR>/sbin/ipfw add permit tcp from any 113 to any established in <BR>/sbin/ipfw add permit tcp from any 113 to any setup out <BR>/sbin/ipfw add permit tcp from any 123 to any established in<BR>/sbin/ipfw add permit tcp from any 123 to any setup out<BR>/sbin/ipfw add permit tcp from any 143 to any established in<BR>/sbin/ipfw add permit tcp from any 143 to any setup out<BR></FONT><FONT face=Arial size=2></FONT></DIV> <DIV><FONT face=Arial size=2>I tried all of these with outthe 'established' and 'setup' - no change</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2># Stop RFC1918 nets on the outside interface<BR>/sbin/ipfw add 97 deny all from 10.0.0.0/8 to any in via rl0<BR>/sbin/ipfw add 97 deny all from any to 10.0.0.0/8 in via rl0<BR>/sbin/ipfw add 97 deny all from 172.16.0.0/12 to any in via rl0<BR>/sbin/ipfw add 97 deny all from any to 172.16.0.0/12 in via rl0<BR>/sbin/ipfw add 97 deny all from 192.168.0.0/16 to any in via rl0<BR>/sbin/ipfw add 97 deny all from any to 192.168.0.0/16 in via rl0<BR></FONT></DIV> <DIV><FONT face=Arial size=2>#nat line</FONT></DIV> <DIV><FONT face=Arial size=2>/sbin/ipfw add divert natd all from any to any via rl0</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>/etc/rc.conf:</FONT></DIV> <DIV><FONT face=Arial size=2>network_interfaces="rl0 ed1 lo0"<BR>ifconfig_rl0="DHCP"<BR>ifconfig_ed1="inet 192.168.1.1 netmask 255.255.255.0"</FONT></DIV> <DIV><FONT face=Arial size=2>gateway_enable="YES"</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial><FONT size=2>natd: flags: </FONT></FONT></DIV> <DIV><FONT face=Arial><FONT size=2>-m: Allocate a socket(2) in order to establish an FTP data or IRC </FONT></FONT><FONT face=Arial><FONT size=2>DCC send connection.</FONT></FONT></DIV> <DIV><FONT face=Arial><FONT size=2>-s: Try to keep the same port number when altering outgoing packets.</FONT></DIV></FONT> <BLOCKQUOTE dir=ltr style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style="FONT: 10pt arial">----- Original Message ----- </DIV> <DIV style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B> <A title=klik@unstable.org href="mailto:klik@unstable.org">Klik</A> </DIV> <DIV style="FONT: 10pt arial"><B>To:</B> <A title=freebsd-security@freebsd.org href="mailto:freebsd-security@freebsd.org">freebsd-security@freebsd.org</A> </DIV> <DIV style="FONT: 10pt arial"><B>Sent:</B> Sunday, July 08, 2001 10:55 PM</DIV> <DIV style="FONT: 10pt arial"><B>Subject:</B> ipfw + natd woes</DIV> <DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><BR></DIV> <DIV><FONT face=Arial size=2>Hello,</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>I'm having trouble setting up my ipfw firewall with a default rule of deny while using natd.. My setup is as follow:</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Cablemodem--> nic1--| FreeBSD box |--nic2--> HUB</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>natd flags: -m </FONT><FONT face=Arial size=2>-s -n nic1</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>If I remove the 'allow ip from any to any' rule and add bunch of permit statements for DNS, HTTP, IRC, etc.. The packets will only go to the FreeBSD machine. N</FONT><FONT face=Arial size=2>one of the machines on the local network are able to access the outside world. I've read the past threads about ipfw and natd, the natd and ipfw man pages ...I'm about to pull my hair out</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Any help would be greatly <FONT face="Times New Roman" size=3>appreciated</FONT></FONT></DIV> <DIV>Greg</DIV></BLOCKQUOTE></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001101c10835$f7e8c2c0$34df7ad1>