Date: Wed, 4 Aug 1999 09:39:29 -0500 From: "David B. Aas" <dave@ciminot.com> To: "'Ray Seals'" <rayseals@midwestis.com>, "'Oscar Bonilla'" <obonilla@fisicc-ufm.edu>, "'Thomas Uhrfelt'" <thomas.uhrfelt@plymovent.se> Cc: <questions@freebsd.org> Subject: Need consulting help with v3.2 firewall Message-ID: <000d01bede87$54afa120$0fc8a8c0@dave.ciminot.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Guys-
Thanks for your suggestions. I tried both. It is better, but I still can't
get through.
Oscar's suggestion substantially speeded up the response from the client.
The clients still cannot get through. The clients are Win95/98 with my
FreeBSD box set as primary DNS.
Ray's suggestion to telnet to my ISP's POP3 server works from the FreeBSD
box, but does not work from internal clients.
My FreeBSD box can do a "ping netscape.com" OK. My clients cannot.
I double and triple-checked my DNS. I originally had the FreeBSD box set up
as a Secondary DNS server. I changed it to be a caching DNS server off of my
ISP. That still didn't work.
I will attach my configuration files. I would appreciate any help.
Thanks.
Dave Aas
dave@ciminot.com
From Ray --------
You could try and manually pop the account:
Start a telnet session from you workstation and telnet to your pop server on
port 110.
System response: +OK UCB Pop server (version 1.6) at myhost starting.
Type "user {your user name here} [Enter]".
System respones: +OK Password required for {your name users}.
Type "pass {your password} [Enter]".
System respones: +OK {your user name} has {number} message (s) (xxx octet).
This would at least let you know that you can manually do a pop. This works
with QPopper but I imagine it should be similar to other pop
implementations.
Ray
From Oscar--------
AFAICS you're not allowing your clients to do DNS queries... see below
(balance ommitted for brevity)
[-- Attachment #2 --]
directory /etc/namedb
primary 0.0.127.in-addr.arpa localhost.rev
forwarders 206.30.26.10 206.30.27.130
#cache . named.root
secondary townandcountry.org 206.30.26.10 backup.townandcountry.org
#secondary 26.30.206.in-addr.arpa 206.30.26.10 backup.townandcountry-reverse
#secondary 0.0.127.in-addr.arpa 206.30.26.10 localhost.rev
[-- Attachment #3 --]
# This file now contains just the overrides from /etc/defaults/rc.conf
# please make all changes to this file.
# -- sysinstall generated deltas -- #
saver="daemon"
gateway_enable="YES"
ifconfig_xl1="inet 208.149.231.82 netmask 255.255.255.252"
ifconfig_xl0="inet 129.1.1.99 netmask 255.255.255.0"
network_interfaces="xl0 xl1 lo0"
defaultrouter="208.149.231.81"
hostname="gateway.townandcountry.org"
# -- Firewall Options -- #
firewall_enable="YES"
oif="xl1"
onet="208.149.231.0"
omask="255.255.255.252"
oip="208.149.231.82"
iif="xl0"
inet="129.1.1.0"
imask="255.255.255.0"
iip="129.1.1.99"
maintip="208.149.231.26"
natd_enable="YES"
natd_interface="xl1"
natd_flags="-use_sockets -same_ports -unregistered_only -dynamic "
# -- Time Server Setup --#
xntpd_enable="YES"
xntpd_program="xntpd"
xntpd_flags="-c /etc/ntp.conf -p /var/run/xntpd.pid"
# -- DNS Setup --#
named_enable="YES"
named_flags="-b /etc/namedb/named.boot"
# -- Mail Setup --#
sendmail_enable="YES"
sendmail_flags="-bd -q30m"
[-- Attachment #4 --]
# Setup system for firewall service.
# $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $
# Customized by Dave Aas 1999/07/20
# Suck in the configuration variables.
. /etc/rc.conf
# Flush out the list before we begin.
ipfw -f flush
# Divert internal ip addresses
ipfw add 100 divert natd all from any to any via ${natd_interface}
# Allow all outbound traffic
ipfw add 150 allow all from any to any out
# Only in rare cases do you want to change these rules
ipfw add 200 pass all from any to any via lo0
ipfw add 300 deny all from any to 127.0.0.0/8
# Stop spoofing
ipfw add 400 deny all from ${inet}:${imask} to any in via ${oif}
ipfw add 500 deny all from ${onet}:${omask} to any in via ${iif}
# Allow TCP through if setup succeeded
ipfw add 600 pass tcp from any to any established
# Allow setup of incoming email
ipfw add 700 pass tcp from any to ${oip} 25 setup
ipfw add 710 allow tcp from any to any 110 setup
# Allow access to our DNS
ipfw add 800 pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
ipfw add 900 pass tcp from any to ${oip} 80 setup
# Other webserver traffic
ipfw add 910 allow tcp from any to ${oip} 80 in via ${oif}
ipfw add 920 allow tcp from any to ${oip} 3128 in via ${oif}
# Allow setup of outgoing TCP connections only
ipfw add 1000 allow tcp from ${oip}:${omask} to any setup
ipfw add 1100 allow tcp from ${iip}:${imask} to any setup
# Allow maintenance from CI
ipfw add 1200 allow tcp from ${maintip} to ${oip} 21 setup
ipfw add 1300 allow tcp from ${maintip} to ${oip} 23 setup
# Allow DNS queries out in the world
ipfw add 1400 pass udp from any 53 to any
ipfw add 1500 pass udp from any to any 53
# Allow NTP queries out in the world
ipfw add 1600 pass udp from any 123 to ${oip}
ipfw add 1700 pass udp from ${oip} to any 123
# Allow ping to or from the world
ipfw add 1800 allow icmp from any to any icmptypes 0,8
# Allow POP3 setup
ipfw add 1850 allow tcp from any 1024-65535 to any 110
ipfw add 1860 allow tcp from ${inet}:${imask} to any 110
ipfw add 1880 allow tcp from any 1024-65535 to any 1024-65535
ipfw add 1890 allow udp from any 1024-65535 to any 1024-65535
# Disallow setup of all other TCP connections
ipfw add 2000 deny tcp from any to any setup
# Allow ident in
ipfw add 2100 allow tcp from any to any 113 in via ${oif}
ipfw add 2200 allow tcp from any to any 113 out via ${oif}
# Everything else is denied as default.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000d01bede87$54afa120$0fc8a8c0>