Date: Sun, 23 Oct 2005 01:17:57 +0100 From: Jayton Garnett <jay@codegurus.org> To: andy@triera.net Cc: freebsd-net@freebsd.org Subject: Re: Problem with firewall Message-ID: <435AD6B5.9050109@codegurus.org> In-Reply-To: <iorzt7.utxdv5@webmail.triera.net> References: <iorzt7.utxdv5@webmail.triera.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Andy Rozman (Aleksander) wrote: >Hi ! > >I am sorry to post this message here, but I think that there are a lot of >gurus here, who could help me without a problem. > >Tilll now I was running ipfw with rule that allows all packets (from kernel) >to pass through. In last few weeks I started having problems, since I got >quite a lot of packets that server accepted by default. > >So I removed this kernel directive out, but now I have problem, that I don't >know how to set rules. I have on my FreeBSD box two NICs, one for outside >internet, and one for internal network, so I am using this machine as router, >and as web server,... > >Problem is that I don't know how to set the rules so that ipfw will allow all >directives from inside network to go out, and receive replies. Please send me >working config. I tried several configs I found on net, but none of them seem >to work... It would probably also be nice to put one working natd + ipfw >confguration somewhere in handbook. > >Please help. >Andy > >P.S: I applied for memebership to list, but I don't know how fast this will be >procesed, so please cc to my email. > > Hello Andy, Last night I faced a similar problem since ndiscvt on fbsd 5.4 64bit would not procude the required ndis_driver_data.h file for my wifi card, ndiscvt produced it on fbsd 5.4 x86, so a friend helped me out and I kind of understand what you need. I didn't get mine working because i'm too impatient and my internet connection went down for a few minutes, in that time I dug out my hub/cat5 patch cables and ran them to my router instead of going something like this: Main PC --> Gateway --> Router --> Internet It now goes like this (and so does the rest of the network): Main PC --> Router --> Internet Presuming you are using a cable modem with no router in between it and your server/router. Hope it works for you! Cheers, Jayton in your /etc/rc.conf you should have something like this: gateway_enable="YES" hostname="yourdomain.com" ifconfig_rl0="DHCP" ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" defaultrouter="192.168.0.1" # firewall stuff firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_quiet="NO" firewall_flags="" # natd stuff natd_enable="YES" natd_interface="rl0" natd_flags="-f /etc/natd.conf" in your /etc/natd.conf interface rl0 redirect_port tcp 192.168.0.3:2090 2090 redirect_port tcp 192.168.0.3:2091 2091 redirect_port tcp 192.168.0.3:2092 2092 redirect_port tcp 192.168.0.3:2093 2093 redirect_port tcp 192.168.0.3:2094 2094 redirect_port tcp 192.168.0.3:2095 2095 redirect_port udp 192.168.0.3:2090 2090 redirect_port udp 192.168.0.3:2091 2091 redirect_port udp 192.168.0.3:2092 2092 redirect_port udp 192.168.0.3:2093 2093 redirect_port udp 192.168.0.3:2094 2094 redirect_port udp 192.168.0.3:2095 2095 redirect_port tcp 192.168.0.3:2000 2000 redirect_port tcp 192.168.0.3:2001 2001 redirect_port tcp 192.168.0.3:2002 2002 redirect_port tcp 192.168.0.3:2003 2003 redirect_port tcp 192.168.0.3:2004 2004 redirect_port udp 192.168.0.3:2000 2000 redirect_port udp 192.168.0.3:2001 2001 redirect_port udp 192.168.0.3:2002 2002 redirect_port udp 192.168.0.3:2003 2003 redirect_port udp 192.168.0.3:2004 2004 in your /etc/rc.firewall in /etc if it does not exist and add this in and see what happens #!/bin/sh # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. fwcmd="/sbin/ipfw" # set these to your outside interface network and netmask and ip oif="rl0" iif="rl1" inet="192.168.0.2" imask="255.255.255.0" iip="192.168.0.2" ############ # Flush out the list before we begin. # ${fwcmd} -f flush ############ # mandatory # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} # exempt everything behind the firewall from this rules set $fwcmd add pass ip from any to any via sis1 # allow all internal traffic #turn on statefull firewall ${fwcmd} add check-state # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. $fwcmd add allow tcp from any to any established # Deny IP fragments to pass through #${fwcmd} add deny all from any to any frag ################################################################################ # allow outoing connexions to specified TCP ports # ################################################################################ #allow everything ${fwcmd} add pass tcp from any to any 1-65535 out via ${oif} setup keep-state ${fwcmd} add pass udp from any to any 1-65535 out via ${oif} setup keep-state # Allow setup of http to the outside ${fwcmd} add pass tcp from any to any 80 out via ${oif} setup keep-state # Allow setup of ssh to the outside ${fwcmd} add pass tcp from any to any 22 out via ${oif} setup keep-state # Allow setup of CVSUP to the outside ${fwcmd} add allow tcp from any to any 5999 out via ${oif} setup keep-state # Allow GRE (IPSEC) ${fwcmd} add pass gre from any to any keep-state # Allow setup of https to the outside #${fwcmd} add pass tcp from any to any 443 out via ${oif} setup keep-state # Allow setup of ftp to the outside ${fwcmd} add pass tcp from any to any 21 out via ${oif} setup keep-state #${fwcmd} add pass tcp from any to any 49152-65535 out via ${oif} setup keep-state # Allow setup of pop to the outside (my isp 1) ${fwcmd} add pass tcp from any to any 110 out via ${oif} setup keep-state # Allow setup of smtp to the outside (isp 1) ${fwcmd} add pass tcp from any to any 25 out via ${oif} setup keep-state # Allow setup of news to the outside ${fwcmd} add pass tcp from any to any 119 out via ${oif} setup keep-state # Allow setup of time to the outside ${fwcmd} add pass tcp from any to any 37 out via ${oif} setup keep-state # Allow DNS queries out to my ISP's DNSs ${fwcmd} add pass udp from any to any 53 out via ${oif} keep-state # Allow answers to DNS queries from my ISP ${fwcmd} add pass udp from any 53 to any in via ${oif} keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${oif} keep-state # Allow answers to NTP queries from my NTP server ${fwcmd} add pass udp from any 123 to any 123 in via ${oif} keep-state ################################################################################ # allow incoming connections from the internet to those specified ports # ################################################################################ # Allow access to our SSH server (which also listens on 443) ${fwcmd} add pass log tcp from any to me 22 in via ${oif} setup keep-state ${fwcmd} add pass log tcp from any to me 119 in via ${oif} setup keep-state #Allow access to ftp server (passive mode) from the internet $fwcmd add allow tcp from any to me 21 in via ${oif} keep-state $fwcmd add allow tcp from any to me 20 in via ${oif} keep-state $fwcmd add allow tcp from any to me 49152-65535 in via ${oif} keep-state # Allow access to our httpd $fwcmd add allow tcp from any to me 80 in via ${oif} keep-state $fwcmd add allow tcp from any to me 8080 in via ${oif} keep-state #Allow access to pop and sendmail $fwcmd add allow tcp from any to me 25 in via ${oif} keep-state $fwcmd add allow tcp from any to me 110 in via ${oif} keep-state #allow ident requests $fwcmd add allow tcp from any to me 113 in via ${oif} keep-state ################################################################################ # default to catch all the rest # ################################################################################ # Stop & log spoofing Attack attempts. # Examine incoming traffic for packets with both a source and destination # IP address in my local domain as per CIAC prevention alert. $fwcmd add deny log ip from me to me in via $oif # Reject peer-to-peer traffic incoming connections without logging ${fwcmd} add deny tcp from any to any 137-139 in via ${oif} ${fwcmd} add deny tcp from any to any 3306 in via ${oif} ${fwcmd} add deny tcp from any to any 6000 in via ${oif} # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Reject&Log all incoming datagrams from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} # Stop & log ping echo attacks # stop echo reply (ICMP type 0), and echo request (type 8). $fwcmd add deny log icmp from any to me in via $oif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?435AD6B5.9050109>