Date: Mon, 19 Jan 2004 12:58:00 -0800 From: Rishi Chopra <rchopra@cal.berkeley.edu> To: questions@freebsd.org Subject: Port Forwarding Message-ID: <400C44D8.6010408@cal.berkeley.edu>
next in thread | raw e-mail | index | archive | help
What I want to do: (1) Change firewall type from 'OPEN' to 'SIMPLE' and (2) Forward ports 412 and 5800 to my Win2k box. What I have: The setup is pictured below. IPFIREWALL_DEFAULT_TO_ACCEPT, IPDIVERT and IPFILTER are all enabled in my kernel config file, are also enabled. Rule-of-thumb advice about "how best to secure a network" is not necessary in this case (the Win2k box has its own firewall installed (ZoneAlarm) and I already know too much about security). ISP FreeBSD Gateway Win2k Box >----------rl0--------------rl1-------------------< ALL DHCP 192.168.0.1 192.168.0.2 The problem: When I chenge the firewall type to SIMPLE from OPEN, the Win2k box can no longer query DNS and pings to the 192.168.0.1 address do not work. With the firewall type set to OPEN, there are no problems whatsoever. I am also new to the IPFW syntax. What I would like to know is: (1) the syntax for forwarding incomming connections from rl0 to rl1 (and ultimately to 192.168.0.2) and (2) whether the syntax for allowing connections to the outside network (such as DNS) is correct and if some other problem is preventing the win2k box from querying DNS when SIMPLE is enabled. Here's the rc.conf file: gateway_enable="YES" hostname="usha.dyndns.org" ifconfig_rl0="DHCP" ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" kern_securelevel_enable="NO" firewall_enable="YES" firewall_type="OPEN" # firewall_type="SIMPLE" firewall_quiet="NO" natd_enable="YES" natd_interface="rl0" natd_flags="-f /etc/natd.conf" linux_enable="YES" sendmail_enable="NO" sshd_enable="YES" Here's the rc.firewall file, with comments trimmed for formatting: [Ss][Ii][Mm][Pp][Ll][Ee]) ############ # set these to your outside interface network and netmask and ip oif="rl0" omask="255.255.255.0" oip="me" # set these to your inside interface network and netmask and ip iif="rl1" inet="192.168.0.1" imask="255.255.255.0" iip="192.168.0.1" setup_loopback # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. # match the `deny' rule below. case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add divert natd all from any to any via ${natd_interface} fi ;; esac # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from ${oip} to any 53 keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from ${oip} to any 123 keep-state # Pass VNC and DC++ connections to 192.168.0.2 # ${fwcmd} add pass tcp from $oip to 192.168.0.2 412 setup # ${fwcmd} add pass tcp from $oip to 192.168.0.2 1412 setup # ${fwcmd} add pass tcp from $oip to 192.168.0.2 5800 setup # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; -- Rishi Chopra http://www.ocf.berkeley.edu/~rchopra
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?400C44D8.6010408>