Date: Mon, 8 Apr 1996 17:55:24 +0200 (MET DST) From: Andreas Klemm <andreas@knobel.gun.de> To: current@freebsd.org Subject: rc.firewall has some syntax errors and sample config hangs machine Message-ID: <Pine.BSF.3.92.960408170210.210A-100000@knobel.gun.de>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hi ! I tried to use the example firewall configuration from /etc/rc.firewall and had some serious problems. - - syntax errors in /etc/rc.firewall - - machine hangs during access to internet and simply reboots I compiled my kernel with both options: option IPFIREWALL option IPFIREWALL_VERBOSE My Ethernet / PPP configuration (on demand dialup ppp): ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 149.237.250.1 netmask 0xffffff00 broadcast 149.237.250.255 ether 00:00:c0:25:fd:2d tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet 192.109.159.141 --> 192.109.159.13 netmask 0xffffff00 lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 At the very beginning of my experiments I used the 1st example from /etc/rc.firewall : %------------------------------------------------------------------------- # problems or you just want to disallow some particular kinds of traffic # they you will want to change the default policy to open. # /sbin/ipfw add 65000 pass all from any to any ############ # Only in rare cases do you want to change this rule /sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 ############ # This is a prototype setup that will protect your system somewhat against # people from outside your own network. # # To enable simply change "false" to "true" in the if line and set the # variables to your network parameters if false ; then # set these to your network and netmask and ip net="192.168.4.0" mask="255.255.255.0" ip="192.168.4.17" # Allow any traffic to or from my own net. /sbin/ipfw add pass all from ${ip} to ${net}:${mask} /sbin/ipfw add pass all from ${net}:${mask} to ${ip} [...and so on....] %------------------------------------------------------------------------- When I rebooted my machine and activated PPP over modem with the command ppp -auto ondemand I was completely unable to dial out to internet. When I tried to do a 'ping a@b.com' I only get 'unknown host' as message. Without the firewall configuration my machine should have dialed up to my ISP and ask his nameserver, because I use resolver services... resolv.conf: domain gun.de nameserver 192.109.159.1 After that I changed the configuration to allow everything, to see, if the ipfw and kernel stuff runs at all.. I used only those two lines in /etc/rc.firewall: /sbin/ipfw add 65000 pass all from any to any /sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 With that configuration turned on, everything works fine again. Ok, so I know, that I have only a firewall configuration problem. With that configration I had no trouble so far... When trying out the 2nd example firewall configuration from /etc/rc.firewall I first noticed some syntax errors reported by ipfw... Here the complete log from sh -x rc.firewall: + /sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 01000 allow all from 127.0.0.1 to 127.0.0.1 + false + true + oif=tun0 + onet=192.109.159.0 + omask=255.255.255.0 + oip=192.109.159.141 + iif=ed0 + inet=149.237.250.0 + imask=255.255.255.0 + iip=149.237.250.1 + /sbin/ipfw add deny all from 149.237.250.0:255.255.255.0 to any in via tun0 2 via /sbin/ipfw: ERROR - Unknown argument Usage: [... lots of usage messages deleted ...] + /sbin/ipfw add deny all from 192.109.159.0:255.255.255.0 to any in via ed0 2 via /sbin/ipfw: ERROR - Unknown argument Usage: [... lots of usage messages deleted ...] + /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via tun0 00000 deny all from 192.168.0.0 to any via tun0 + /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via tun0 00000 deny all from 172.16.0.0 to any via tun0 + /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via tun0 00000 deny all from 10.0.0.0 to any via tun0 + /sbin/ipfw add deny tcp from any to any established 00000 deny tcp from any to any established + /sbin/ipfw add pass tcp from any to 192.109.159.141 25 setup 00000 allow tcp from any to 192.109.159.141 25 setup + /sbin/ipfw add pass tcp from any to 192.109.159.141 53 setup 00000 allow tcp from any to 192.109.159.141 53 setup + /sbin/ipfw add pass tcp from any to 192.109.159.141 80 setup 00000 allow tcp from any to 192.109.159.141 80 setup + /sbin/ipfw add deny log tcp from any to any in via tun0 setup 3 via /sbin/ipfw: ERROR - Unknown argument [... lots of usage messages deleted ...] + /sbin/ipfw add pass tcp from any to any setup 00000 allow tcp from any to any setup + /sbin/ipfw add pass udp from any 53 to 192.109.159.141 00000 allow udp from any 53 to 192.109.159.141 + /sbin/ipfw add pass udp from 192.109.159.141 to any 53 00000 allow udp from 192.109.159.141 to any 53 + /sbin/ipfw add pass udp from any 123 to 192.109.159.141 00000 allow udp from any 123 to 192.109.159.141 + /sbin/ipfw add pass udp from 192.109.159.141 to any 123 00000 allow udp from 192.109.159.141 to any 123 I could fix the error messages by simply removing the token "in" from the bogus command line. For example: Changed this: /sbin/ipfw add deny log tcp from any to any in via tun0 setup to that : /sbin/ipfw add deny log tcp from any to any via tun0 setup The above trace shows you, that I changed the IP Adresses (I hope) properly for the firewall configuration. I simply treat my dialup interface like an ethernet interface to the outside world. + oif=tun0 + onet=192.109.159.0 + omask=255.255.255.0 + oip=192.109.159.141 + iif=ed0 + inet=149.237.250.0 + imask=255.255.255.0 + iip=149.237.250.1 After making the 2nd example run, I tried to ping outside. My machine dialed up to my ISP's machine. So good so far. But I was unable to ping to a host outside, because permission for that were denied (the firewall config). After starting cached and trying to browse the WWW the machine simply hangs ... Not immediately ... about 1-2 minutes. This happened 2 times... And here what the messages file say to me : Apr 8 16:53:14 knobel /kernel: IP firewall initialized Apr 8 16:55:35 knobel /kernel: Connection attempt to UDP 192.109.159.141:1024 from 192.109.159.141:53 Apr 8 16:55:35 knobel /kernel: Connection attempt to UDP 192.109.159.141:1025 from 192.109.159.141:53 Apr 8 16:55:35 knobel /kernel: Connection attempt to UDP 192.109.159.141:1026 from 192.109.159.141:53 Apr 8 16:55:59 knobel /kernel: ipfw: 1800 Deny TCP 192.109.159.141:1025 192.109.159.3:23 Apr 8 16:56:37 knobel /kernel: ipfw: 1800 Deny TCP 192.109.159.141:1029 198.95.249.78:80 Apr 8 16:57:01 knobel /kernel: ipfw: 1800 Deny TCP 192.109.159.141:1050 194.77.8.1:80 Apr 8 17:01:36 knobel /kernel: panic: free: multiple frees ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Apr 8 17:01:36 knobel /kernel: Apr 8 17:01:36 knobel /kernel: syncing disks... FreeBSD 2.2-CURRENT #0: Mon Apr 8 15:38:06 MET DST 1996 [........ reboot ...........] One final wish ... Could someone please check the rc.firewall script, correct the errors and perhaps provide a better working example for a via Modem connected machine to an ISP ?! Things that should be possible (please correct me if I'm wrong) outgoing icmp (ping) outgoing telnet outgoing rlogin outgoing smtp messages (optional) outgoing uucp via tcp/ip outgoing www requests to www and proxy servers outgoing DNS queries incoming icmp (ping) incoming smtp messages (optional) incoming www queries to own WWW server incoming DNS queries Thanks !!! BTW: the firewall stuff is really cool, ... but it's horrible to understand each bit and byte ... One really fine working firewall example in rc.firewall would be fine... If you need someone to test a configuration ... here I am ... In the meantime I'll try to roll a working ony myself ... Andreas /// - -- andreas@knobel.gun.de /\/\___ Wiechers & Partner Datentechnik GmbH Andreas Klemm ___/\/\/ $$ Support Unix - aklemm@wup.de $$ pgp p-key http://www-swiss.ai.mit.edu/~bal/pks-toplev.html >>> powered by <<< ftp://sunsite.unc.edu/pub/Linux/system/Printing/aps-491.tgz >>> FreeBSD <<< -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWk27fMLpmkD/U+FAQG7twP9FYd3b9kwooo90E3A/oANTfJSmpkr6etO XDyC44E8NOEgN+eS0THoHfiBdXETTHehW1mxiOEoFlA5x4ZnKZJuKsJ2peaCT1Np RLLGZlGq2+pGKjQp0A710AcWN8qaMnh+U7qcigSko6S9ccB2X3hiBcxj+cME8jI0 pCU6Di6+Cr4= =hveo -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.92.960408170210.210A-100000>