Date: Mon, 9 Jul 2001 01:14:01 -0400 From: "Klik" <klik@unstable.org> To: <freebsd-security@freebsd.org> Subject: Re: ipfw + natd woes Message-ID: <001101c10835$f7e8c2c0$34df7ad1@unstable.org> References: <001401c10822$99f27ac0$34df7ad1@unstable.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_000E_01C10814.6FEDAD20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Here is some more info in the setup,sorry about the incomplete post... extra kernel options: options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options DUMMYNET results of netstat -nr: Routing tables Internet: Destination Gateway Flags Refs Use Netif = Expire default 216.164.28.1 UGSc 5 8604782 rl0 127.0.0.1 127.0.0.1 UH 0 54 lo0 192.168.1 link#3 UC 3 0 ed1 192.168.1.3 0:40:33:d2:1f:9d UHLW 2 3201858 ed1 = 17 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 0 791 ed1 216.164.28/23 link#1 UC 2 0 rl0 216.164.28.1 0:30:94:a8:eb:54 UHLW 3 0 rl0 = 497 216.164.29.255 ff:ff:ff:ff:ff:ff UHLWb 0 2363 rl0=20 # firewall ruleset #!/bin/sh /sbin/ipfw add permit tcp from any 21 to any established in /sbin/ipfw add permit tcp from any 21 to any setup out /sbin/ipfw add permit tcp from any 22 to any established in /sbin/ipfw add permit tcp from any 22 to any setup out=20 /sbin/ipfw add permit tcp from any 25 to any established in=20 /sbin/ipfw add permit tcp from any 25 to any setup out /sbin/ipfw add permit tcp from any 53 to any established in /sbin/ipfw add permit tcp from any 53 to any setup out=20 /sbin/ipfw add permit tcp from any 80 to any established in=20 /sbin/ipfw add permit tcp from any 80 to any setup out=20 /sbin/ipfw add permit tcp from any 110 to any established in=20 /sbin/ipfw add permit tcp from any 110 to any setup out=20 /sbin/ipfw add permit tcp from any 113 to any established in=20 /sbin/ipfw add permit tcp from any 113 to any setup out=20 /sbin/ipfw add permit tcp from any 123 to any established in /sbin/ipfw add permit tcp from any 123 to any setup out /sbin/ipfw add permit tcp from any 143 to any established in /sbin/ipfw add permit tcp from any 143 to any setup out I tried all of these with outthe 'established' and 'setup' - no change # Stop RFC1918 nets on the outside interface /sbin/ipfw add 97 deny all from 10.0.0.0/8 to any in via rl0 /sbin/ipfw add 97 deny all from any to 10.0.0.0/8 in via rl0 /sbin/ipfw add 97 deny all from 172.16.0.0/12 to any in via rl0 /sbin/ipfw add 97 deny all from any to 172.16.0.0/12 in via rl0 /sbin/ipfw add 97 deny all from 192.168.0.0/16 to any in via rl0 /sbin/ipfw add 97 deny all from any to 192.168.0.0/16 in via rl0 #nat line /sbin/ipfw add divert natd all from any to any via rl0 /etc/rc.conf: network_interfaces=3D"rl0 ed1 lo0" ifconfig_rl0=3D"DHCP" ifconfig_ed1=3D"inet 192.168.1.1 netmask 255.255.255.0" gateway_enable=3D"YES" natd: flags:=20 -m: Allocate a socket(2) in order to establish an FTP data or IRC DCC = send connection. -s: Try to keep the same port number when altering outgoing packets. ----- Original Message -----=20 From: Klik=20 To: freebsd-security@freebsd.org=20 Sent: Sunday, July 08, 2001 10:55 PM Subject: ipfw + natd woes Hello, I'm having trouble setting up my ipfw firewall with a default rule of = deny while using natd.. My setup is as follow: Cablemodem--> nic1--| FreeBSD box |--nic2--> HUB natd flags: -m -s -n nic1 If I remove the 'allow ip from any to any' rule and add bunch of = permit statements for DNS, HTTP, IRC, etc.. The packets will only go to = the FreeBSD machine. None of the machines on the local network are able = to access the outside world. I've read the past threads about ipfw and = natd, the natd and ipfw man pages ...I'm about to pull my hair out Any help would be greatly appreciated Greg ------=_NextPart_000_000E_01C10814.6FEDAD20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4207.2601" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Here is some more info in the = setup,sorry about the=20 incomplete post...</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>extra kernel options:</FONT></DIV> <DIV><FONT face=3DArial=20 size=3D2>options =20 IPDIVERT<BR>options =20 IPFIREWALL<BR>options =20 IPFIREWALL_VERBOSE<BR>options &n= bsp;=20 DUMMYNET</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>results of netstat -nr:</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Routing tables</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial=20 size=3D2>Internet:<BR>Destination &nbs= p;=20 Gateway = =20 Flags Refs Use = Netif=20 Expire<BR>default &n= bsp; =20 216.164.28.1 =20 UGSc 5 = 8604782 =20 rl0<BR>127.0.0.1 =20 127.0.0.1 =20 UH =20 0 54 =20 lo0<BR>192.168.1 =20 link#3 &= nbsp;=20 UC =20 3 0 =20 ed1<BR>192.168.1.3 =20 0:40:33:d2:1f:9d = UHLW =20 2 3201858 ed1 =20 17<BR>192.168.1.255 = ff:ff:ff:ff:ff:ff =20 UHLWb = 0 =20 791 ed1<BR>216.164.28/23 = link#1 &= nbsp;=20 UC =20 2 0 =20 rl0<BR>216.164.28.1 =20 0:30:94:a8:eb:54 = UHLW =20 3 0 =20 rl0 497<BR>216.164.29.255 =20 ff:ff:ff:ff:ff:ff UHLWb =20 0 2363 rl0</FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2># firewall ruleset</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>#!/bin/sh</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>/sbin/ipfw add permit tcp from any = 21 to any=20 established in<BR>/sbin/ipfw add permit tcp from any 21 to any setup=20 out<BR>/sbin/ipfw add permit tcp from any 22 to any established = in<BR>/sbin/ipfw=20 add permit tcp from any 22 to any setup out <BR>/sbin/ipfw add permit = tcp from=20 any 25 to any established in <BR>/sbin/ipfw add permit tcp from any 25 = to any=20 setup out<BR>/sbin/ipfw add permit tcp from any 53 to any established=20 in<BR>/sbin/ipfw add permit tcp from any 53 to any setup out = <BR>/sbin/ipfw=20 add permit tcp from any 80 to any established in <BR>/sbin/ipfw add = permit tcp=20 from any 80 to any setup out <BR>/sbin/ipfw add permit tcp from any 110 = to any=20 established in <BR>/sbin/ipfw add permit tcp from any 110 to any setup = out=20 <BR>/sbin/ipfw add permit tcp from any 113 to any established in = <BR>/sbin/ipfw=20 add permit tcp from any 113 to any setup out <BR>/sbin/ipfw add permit = tcp from=20 any 123 to any established in<BR>/sbin/ipfw add permit tcp from any 123 = to any=20 setup out<BR>/sbin/ipfw add permit tcp from any 143 to any established=20 in<BR>/sbin/ipfw add permit tcp from any 143 to any setup = out<BR></FONT><FONT=20 face=3DArial size=3D2></FONT></DIV> <DIV><FONT face=3DArial size=3D2>I tried all of these with outthe = 'established' and=20 'setup' - no change</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2># Stop RFC1918 nets on the outside=20 interface<BR>/sbin/ipfw add 97 deny all from 10.0.0.0/8 to any in via=20 rl0<BR>/sbin/ipfw add 97 deny all from any to 10.0.0.0/8 in via=20 rl0<BR>/sbin/ipfw add 97 deny all from 172.16.0.0/12 to any in via = rl0<BR>/sbin/ipfw add 97 deny all from any to 172.16.0.0/12 in via=20 rl0<BR>/sbin/ipfw add 97 deny all from 192.168.0.0/16 to any in via=20 rl0<BR>/sbin/ipfw add 97 deny all from any to 192.168.0.0/16 in via=20 rl0<BR></FONT></DIV> <DIV><FONT face=3DArial size=3D2>#nat line</FONT></DIV> <DIV><FONT face=3DArial size=3D2>/sbin/ipfw add divert natd all from any = to any via=20 rl0</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>/etc/rc.conf:</FONT></DIV> <DIV><FONT face=3DArial size=3D2>network_interfaces=3D"rl0 ed1=20 lo0"<BR>ifconfig_rl0=3D"DHCP"<BR>ifconfig_ed1=3D"inet 192.168.1.1 = netmask=20 255.255.255.0"</FONT></DIV> <DIV><FONT face=3DArial size=3D2>gateway_enable=3D"YES"</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial><FONT size=3D2>natd: flags: </FONT></FONT></DIV> <DIV><FONT face=3DArial><FONT size=3D2>-m: Allocate a socket(2) in order = to=20 establish an FTP data or IRC </FONT></FONT><FONT face=3DArial><FONT = size=3D2>DCC=20 send connection.</FONT></FONT></DIV> <DIV><FONT face=3DArial><FONT size=3D2>-s: Try to keep the same port = number when=20 altering outgoing packets.</FONT></DIV></FONT> <BLOCKQUOTE dir=3Dltr=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A title=3Dklik@unstable.org = href=3D"mailto:klik@unstable.org">Klik</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A = title=3Dfreebsd-security@freebsd.org=20 = href=3D"mailto:freebsd-security@freebsd.org">freebsd-security@freebsd.org= </A>=20 </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Sunday, July 08, 2001 = 10:55=20 PM</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> ipfw + natd woes</DIV> <DIV><FONT face=3DArial size=3D2></FONT><FONT face=3DArial = size=3D2></FONT><FONT=20 face=3DArial size=3D2></FONT><FONT face=3DArial size=3D2></FONT><FONT = face=3DArial=20 size=3D2></FONT><FONT face=3DArial size=3D2></FONT><FONT face=3DArial=20 size=3D2></FONT><FONT face=3DArial size=3D2></FONT><FONT face=3DArial=20 size=3D2></FONT><FONT face=3DArial size=3D2></FONT><FONT face=3DArial=20 size=3D2></FONT><FONT face=3DArial size=3D2></FONT><FONT face=3DArial=20 size=3D2></FONT><BR></DIV> <DIV><FONT face=3DArial size=3D2>Hello,</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I'm having trouble setting up my ipfw = firewall=20 with a default rule of deny while using natd.. My setup is as=20 follow:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Cablemodem--> nic1--| FreeBSD box=20 |--nic2--> HUB</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>natd flags: -m </FONT><FONT = face=3DArial=20 size=3D2>-s -n nic1</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>If I remove the 'allow ip from any to = any' rule=20 and add bunch of permit statements for DNS, HTTP, IRC, = etc.. The=20 packets will only go to the FreeBSD machine. N</FONT><FONT=20 face=3DArial size=3D2>one of the machines on the local network are = able to access=20 the outside world. I've read the past threads about ipfw and = natd,=20 the natd and ipfw man pages ...I'm about to pull my hair=20 out</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Any help would be greatly <FONT=20 face=3D"Times New Roman" size=3D3>appreciated</FONT></FONT></DIV> <DIV>Greg</DIV></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_000E_01C10814.6FEDAD20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001101c10835$f7e8c2c0$34df7ad1>