Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 24 Jun 1999 21:15:59 -0500
From:      "David B. Aas" <dave@ciminot.com>
To:        <questions@freebsd.org>
Subject:   I can't get ipfw and natd to work!
Message-ID:  <000201bebeb0$ab280200$0fc8a8c0@dave.ciminot.com>

next in thread | raw e-mail | index | archive | help
Help, Please!

I am trying to get ipfw and natd to work on a "simple" firewall. I have been
using the instructions in the Complete FreeBSD book by Greg Lehey, and using
defaults to set this thing up. That didn't work. I tried email
correspondence with Dan Busarow, and I stumped him.

I am using an FTP install of 3.2-RELEASE. I recompiled my kernel with the
IPDIVERT and IPFIREWALL options. I have a permanant Internet connection at
208.149.231.25. My external IP is 208.149.231.29 on device xl1. My internal
device, xl0 is set for IP 192.168.100.254.

I cannot ping to the outside world. I get an error message "natd[122]:
failed to write packet back (permission denied)". I want to hook up Windows
computers to my network, use RFC1918 net addresses inside my network, and
share a fast connection to the Internet on my network. This is not rocket
science, but I can's seem to get this to work!

Here are relevant details. I would appreciate any help. I am ready to hurt
myself if I don't get this going soon.

Dave Aas
dave@ciminot.com
------------------------------------
rc.conf
# This file now contains just the overrides from /etc/defaults/rc.conf
# please make all changes to this file.

# -- sysinstall generated deltas -- #
saver="daemon"
gateway_enable="YES"
ifconfig_xl0="inet 192.168.100.254  netmask 255.255.255.0"
pccard_ifconfig="NO"
pccard_mem="DEFAULT"
network_interfaces="xl0 xl1 lo0"
ifconfig_xl1="inet 208.149.231.29  netmask 255.255.255.248"
defaultrouter="208.149.231.25"
hostname="gateway.kxmc.com"
firewall_enable="YES"
sendmail_enable="NO"
natd_enable="YES"
natd_interface="xl1"
firewall_type="simple"
-----------------------------------------
rc.local
natd -use_sockets -same_ports -unregistered_only -dynamic -interface xl1
------------------------------------------
rc.firewall
############
# Setup system for firewall service.
# $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $

# Suck in the configuration variables.
        . /etc/defaults/rc.conf
        . /etc/rc.conf
fi

############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open     - will allow anyone in
#   client   - will try to protect just this machine
#   simple   - will try to protect a whole network
#   closed   - totally disables IP services except via lo0 interface
#   UNKNOWN  - disables the loading of firewall rules.
#   filename - will load the rules in the given filename (full path
required)
#
# For ``client'' and ``simple'' the entries below should be customized

# Setup system for firewall service.
# $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $

# Suck in the configuration variables.
        . /etc/defaults/rc.conf
        . /etc/rc.conf
fi

############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open     - will allow anyone in
#   client   - will try to protect just this machine
#   simple   - will try to protect a whole network
#   closed   - totally disables IP services except via lo0 interface
#   UNKNOWN  - disables the loading of firewall rules.
#   filename - will load the rules in the given filename (full path
required)
#
# For ``client'' and ``simple'' the entries below should be customized
# appropriately.

############
#
# If you don't know enough about packet filtering, we suggest that you
# take time to read this book:
#
#       Building Internet Firewalls
#       Brent Chapman and Elizabeth Zwicky
#
#       O'Reilly & Associates, Inc
#       ISBN 1-56592-124-0
#       http://www.ora.com/
#
# For a more advanced treatment of Internet Security read:
#
#       Firewalls & Internet Security
#       Repelling the wily hacker
#       William R. Cheswick, Steven M. Bellowin
#
#       Addison-Wesley
#       ISBN 0-201-6337-4
#       http://www.awl.com/
#

if [ "x$1" != "x" ]; then
        firewall_type=$1
fi

############
# Set quiet mode if requested
if [ "x$firewall_quiet" = "xYES" ]; then
        fwcmd="/sbin/ipfw -q"
else
        fwcmd="/sbin/ipfw"
fi

############
# Flush out the list before we begin.
$fwcmd -f flush

############
# These rules are required for using natd.  All packets are passed to
# natd before they encounter your remaining rules.  The firewall rules
# will then be run again on each packet after translation by natd,
# minus any divert rules (see natd(8)).
if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
        $fwcmd add divert natd all from any to any via ${natd_interface}
fi

############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# they you will want to change the default policy to open.  You can also
# do this as your only action by setting the firewall_type to ``open''.

# $fwcmd add 65000 pass all from any to any

############
# Only in rare cases do you want to change these rules
$fwcmd add 100 pass all from any to any via lo0
$fwcmd add 200 deny all from any to 127.0.0.0/8
$fwcmd add 200 deny all from any to 127.0.0.0/8


# Prototype setups.
if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then

        $fwcmd add 65000 pass all from any to any

elif [ "${firewall_type}" = "client" ]; then

    ############
    # This is a prototype setup that will protect your system somewhat
against
    # people from outside your own network.
    ############

    # set these to your network and netmask and ip
    net="192.168.4.0"
    mask="255.255.255.0"
    ip="192.168.4.17"

    # Allow any traffic to or from my own net.
    $fwcmd add pass all from ${ip} to ${net}:${mask}
    $fwcmd add pass all from ${net}:${mask} to ${ip}

    # Allow TCP through if setup succeeded
    $fwcmd add pass tcp from any to any established

    # Allow setup of incoming email
    $fwcmd add pass tcp from any to ${ip} 25 setup

    # Allow setup of outgoing TCP connections only
    $fwcmd add pass tcp from ${ip} to any setup

    # Disallow setup of all other TCP connections
    $fwcmd add deny tcp from any to any setup

    # Allow DNS queries out in the world
    $fwcmd add pass udp from any 53 to ${ip}
    $fwcmd add pass udp from ${ip} to any 53

    # Allow NTP queries out in the world
    $fwcmd add pass udp from any 123 to ${ip}
    $fwcmd add pass udp from ${ip} to any 123

    # Everything else is denied as default.

elif [ "${firewall_type}" = "simple" ]; then

    ############
    # This is a prototype setup for a simple firewall.  Configure this
machine
    # as a named server and ntp server, and point all the machines on the
inside
    # at this machine for those services.
    ############

    # set these to your outside interface network and netmask and ip
    oif="xl1"
    onet="208.149.231.0"
    omask="255.255.255.248"
    oip="208.149.231.29"

    # set these to your inside interface network and netmask and ip
    iif="xl0"
    inet="192.168.100.0"
    imask="255.255.255.0"
    iip="192.168.100.254"

    # Stop spoofing
    $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
    $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

    # Allow traffice to or from internal network-did this to troubleshoot
    $fwcmd add pass all from ${iip} to ${inet}:${imask} via ${iif}
    $fwcmd add pass all from ${inet}:${imask} to ${iip} via ${iif}
    $fwcmd add pass all from ${oip} to ${iip}
    $fwcmd add pass all from ${iip} to ${oip}
    $fwcmd add pass all from ${oip} to ${iip}:${imask}
    $fwcmd add pass all from ${inet}:${imask} to ${oip}

    # Stop RFC1918 nets on the outside interface
    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}

    # Allow TCP through if setup succeeded
    $fwcmd add pass tcp from any to any established

    # Allow setup of incoming email
    $fwcmd add pass tcp from any to ${oip} 25 setup

    # Allow access to our DNS
    $fwcmd add pass tcp from any to ${oip} 53 setup

    # Allow access to our WWW
    $fwcmd add pass tcp from any to ${oip} 80 setup

    # Reject&Log all setup of incoming connections from the outside
    $fwcmd add deny log tcp from any to any in via ${oif} setup

    # Allow setup of any other TCP connection
    $fwcmd add pass tcp from any to any setup

    # Allow DNS queries out in the world
    $fwcmd add pass udp from any 53 to ${oip}
    $fwcmd add pass udp from ${oip} to any 53

    # Allow NTP queries out in the world
    $fwcmd add pass udp from any 123 to ${oip}
    $fwcmd add pass udp from ${oip} to any 123

    # Everything else is denied as default.

elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
        $fwcmd ${firewall_type}
fi
---------------------------------------------------
ipfw list
00100 divert 8668 ip from any to any via xl1
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 192.168.100.0/24 to any in recv xl1
00400 deny ip from 208.149.231.0/29 to any in recv xl0
00500 allow ip from 192.168.100.254 to 192.168.100.0/24 via xl0
00600 allow ip from 192.168.100.0/24 to 192.168.100.254 via xl0
00700 allow ip from 208.149.231.29 to 192.168.100.254
00800 allow ip from 192.168.100.254 to 208.149.231.29
00900 allow ip from 208.149.231.29 to 192.168.100.0/24
01000 allow ip from 192.168.100.0/24 to 208.149.231.29
01100 deny ip from 192.168.0.0/16 to any via xl1
01200 deny ip from any to 192.168.0.0/16 via xl1
01300 deny ip from 172.16.0.0/12 to any via xl1
01400 deny ip from any to 172.16.0.0/12 via xl1
01500 deny ip from 10.0.0.0/8 to any via xl1
01600 deny ip from any to 10.0.0.0/8 via xl1
01700 allow tcp from any to any established
01800 allow tcp from any to 208.149.231.29 25 setup
01900 allow tcp from any to 208.149.231.29 53 setup
02000 allow tcp from any to 208.149.231.29 80 setup
02100 deny log tcp from any to any in recv xl1 setup
02200 allow tcp from any to any setup
02300 allow udp from any 53 to 208.149.231.29
02400 allow udp from 208.149.231.29 to any 53
02500 allow udp from any 123 to 208.149.231.29
02600 allow udp from 208.149.231.29 to any 123
65535 deny ip from any to any
-----------------------------------------------
ipfw show
00100  92 20136 divert 8668 ip from any to any via xl1
00100   0     0 allow ip from any to any via lo0
00200   0     0 deny ip from any to 127.0.0.0/8
00300   0     0 deny ip from 192.168.100.0/24 to any in recv xl1
00400   0     0 deny ip from 208.149.231.0/29 to any in recv xl0
00500 369 33990 allow ip from 192.168.100.254 to 192.168.100.0/24 via xl0
00600 474 19768 allow ip from 192.168.100.0/24 to 192.168.100.254 via xl0
00700   0     0 allow ip from 208.149.231.29 to 192.168.100.254
00800   0     0 allow ip from 192.168.100.254 to 208.149.231.29
00900   0     0 allow ip from 208.149.231.29 to 192.168.100.0/24
01000   0     0 allow ip from 192.168.100.0/24 to 208.149.231.29
01100   7  2296 deny ip from 192.168.0.0/16 to any via xl1
01200   0     0 deny ip from any to 192.168.0.0/16 via xl1
01300   0     0 deny ip from 172.16.0.0/12 to any via xl1
01400   0     0 deny ip from any to 172.16.0.0/12 via xl1
01500   0     0 deny ip from 10.0.0.0/8 to any via xl1
01600   0     0 deny ip from any to 10.0.0.0/8 via xl1
01700   0     0 allow tcp from any to any established
01800   0     0 allow tcp from any to 208.149.231.29 25 setup
01900   0     0 allow tcp from any to 208.149.231.29 53 setup
02000   0     0 allow tcp from any to 208.149.231.29 80 setup
02100   0     0 deny log tcp from any to any in recv xl1 setup
02200   0     0 allow tcp from any to any setup
02300   1   155 allow udp from any 53 to 208.149.231.29
02400   1    73 allow udp from 208.149.231.29 to any 53
02500   0     0 allow udp from any 123 to 208.149.231.29
02600   0     0 allow udp from 208.149.231.29 to any 123
65535 136 20997 deny ip from any to any
--------------------------------------------------------
netstat -in
Name  Mtu   Network       Address            Ipkts Ierrs    Opkts Oerrs
Coll
xl0   1500  <Link>      00.50.04.03.d9.6a      584     0      389     0
0
xl0   1500  192.168.100   192.168.100.254      584     0      389     0
0
xl1   1500  <Link>      00.50.04.0d.cf.f9      255     0        3     0
0
xl1   1500  208.149.231.2 208.149.231.29       255     0        3     0
0
lp0*  1500  <Link>                               0     0        0     0
0
tun0* 1500  <Link>                               0     0        0     0
0
sl0*  552   <Link>                               0     0        0     0
0
ppp0* 1500  <Link>                               0     0        0     0
0
lo0   16384 <Link>                               0     0        0     0
0
lo0   16384 127           127.0.0.1              0     0        0     0
0
------------------------------------------------------------
netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use     Netif
Expire
default            208.149.231.25     UGSc        1        6      xl1
127.0.0.1          127.0.0.1          UH          0        0      lo0
192.168.100        link#1             UC          0        0      xl0
192.168.100.15     0:80:29:67:18:a9   UHLW        1      404      xl0    998
192.168.100.15     0:80:29:67:18:a9   UHLW        1      404      xl0    998
208.149.231.24/29  link#2             UC          0        0      xl1
208.149.231.25     0:c0:49:11:60:3f   UHLW        2        8      xl1    999



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000201bebeb0$ab280200$0fc8a8c0>