Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 Jun 1999 21:04:02 -0500
From:      Michael Maxwell <drwho@xnet.com>
To:        freebsd-security@freebsd.org
Subject:   firewalling problem.
Message-ID:  <19990626210402.B1580@atlas.topquark.org>

next in thread | raw e-mail | index | archive | help

--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii

I have attached my /etc/rc.firewall as it currently is... please have a look
for more info:

Problem:
 I cannot allow my local net machines to talk outside to the net and still
have a useful firewall at the same time.  The rule that allows the local
hosts to talk outside completely defeats the purpose of having any OTHER
rules in the first place (ipfw allow ip from any to any).  I have tried
restricting the first "any" to <mynet>:<mymask>, but this also does not
work.

Any help I can get on this would be VERY much appreciated.  Reading the 
docs doesn't help much at all, and all the examples I've looked at on the
net are of little help on this one, too...  It took me two weeks just to
get this far...

Thanks again...


-- 
    Michael Maxwell <drwho @ xnet.com>  |  http://www.xnet.com/~drwho/
  -- NATO: Now that you've destroyed Serbia, who you gonna kill next? --

--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="rc.firewall"

############
# Setup system for firewall service.
# $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $

# Suck in the configuration variables.
if [ -f /etc/defaults/rc.conf ]; then
	. /etc/defaults/rc.conf
elif [ -f /etc/rc.conf ]; then
	. /etc/rc.conf
fi

if [ "x$1" != "x" ]; then
	firewall_type=$1
fi

############
# Set quiet mode if requested
if [ "x$firewall_quiet" = "xYES" ]; then
	fwcmd="/sbin/ipfw -q"
else
	fwcmd="/sbin/ipfw"
fi

############
# Flush out the list before we begin.
$fwcmd -f flush

############
# These rules are required for using natd.  All packets are passed to
# natd before they encounter your remaining rules.  The firewall rules
# will then be run again on each packet after translation by natd,
# minus any divert rules (see natd(8)).
$fwcmd add divert natd all from any to any via ppp0

############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# they you will want to change the default policy to open.  You can also
# do this as your only action by setting the firewall_type to ``open''.

# $fwcmd add 65000 pass all from any to any

############
# Only in rare cases do you want to change these rules
$fwcmd add 100 pass all from any to any via lo0
$fwcmd add 200 deny all from any to 127.0.0.0/8

if [ "${firewall_type}" = "simple" ]; then

    ############
    # This is a prototype setup for a simple firewall.  Configure this machine 
    # as a named server and ntp server, and point all the machines on the inside
    # at this machine for those services.
    ############

    # set these to your outside interface network and netmask and ip
    oif="ppp0"
    onet="205.243.140.0"
    omask="255.255.255.0"
    oip="205.243.140.183"

    # set these to your inside interface network and netmask and ip
    iif="xl0"
    inet="192.168.16.0"
    imask="255.255.255.0"
    iip="192.168.16.1"

    # Some of our local hosts (used for redirects, etc)
    zeus="192.168.16.3"

    xnetdnsa="198.147.221.34"
    xnetdnsb="198.147.221.35"

### This is the problem.  Without this, nothing can talk out from the inside
### network.  But this defeats the purpose of everything else in this file.
### The "add allow ip from <mynet>:<mymask> to any (etc...) does NOT work.
    # Allow inside hosts to talk out
    $fwcmd add 110 allow ip from any to any

    # Stop spoofing
    $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
    $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

    # Stop RFC1918 nets on the outside interface
    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}

    # Allow TCP through if setup succeeded
    $fwcmd add pass tcp from any to any established

    # Allow setup of incoming email
    $fwcmd add allow tcp from any to ${oip} 25 setup

    # Allow access to our DNS
    $fwcmd add pass tcp from ${xnetdnsa} to ${oip} 53 setup
    $fwcmd add pass tcp from ${xnetdnsb} to ${oip} 53 setup

    # Reject&Log all setup of incoming connections from the outside
    $fwcmd add deny log tcp from any to any in via ${oif} setup

    # Allow setup of any other TCP connection
    $fwcmd add pass tcp from any to any setup

    # Allow DNS queries out in the world
    $fwcmd add pass udp from any 53 to ${oip}
    $fwcmd add pass udp from ${oip} to any 53

    # Allow NTP queries out in the world
    $fwcmd add pass udp from any 123 to ${oip}
    $fwcmd add pass udp from ${oip} to any 123

    # Everything else is denied as default.

#    # Deny any connections to port 53 (DNS) *except* our secondary DNS
#    $fwcmd add deny tcp from any to any 53 setup
#    $fwcmd add allow tcp from ${xnetdnsa} to ${oip} 53 setup
#    $fwcmd add allow tcp from ${xnetdnsb} to ${oip} 53 setup
#
#    # Block misc security holes
#    $fwcmd add deny log tcp from any to any 69 setup
#    $fwcmd add deny log tcp from any to any 87 setup
#    $fwcmd add deny log tcp from any to any 111 via ${oif}
#    $fwcmd add deny log tcp from any to any 2049 via ${oif}
#    $fwcmd add deny log tcp from any to any 512-514 via ${oif}
#    $fwcmd add deny log tcp from any to any 515 via ${oif}
#    $fwcmd add deny log tcp from any to any 540 via ${oif}
#    $fwcmd add deny log tcp from any to any 2000 via ${oif}
#    $fwcmd add deny log tcp from any to any 6000-6063 via ${oif}
# 
    # Use this for our inbound telnet redirect to zeus
    $fwcmd add 155 allow tcp from any to ${zeus} 23 via ${oif} 

#####################################################################
### UDP SPECIFIC
### We don't want to allow any UDP traffic from outside
### except for on port 123 (ntp)
#####################################################################
    $fwcmd add deny log udp from any to any via ${oif}
    $fwcmd add allow udp from any to any 123
fi

--k1lZvvs/B4yU6o8G--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990626210402.B1580>