From owner-freebsd-ipfw Tue Aug 8 12:18:18 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from c014.sfo.cp.net (c014-h022.c014.sfo.cp.net [209.228.12.86]) by hub.freebsd.org (Postfix) with SMTP id 7CEEE37C0E2 for ; Tue, 8 Aug 2000 12:18:15 -0700 (PDT) (envelope-from dchance@valuedata.net) Received: (cpmta 21720 invoked from network); 8 Aug 2000 12:16:38 -0700 Received: from m12hRs4n205.midsouth.rr.com (HELO development1) (24.95.125.205) by smtp.valuedata.net with SMTP; 8 Aug 2000 12:16:38 -0700 X-Sent: 8 Aug 2000 19:16:38 GMT Message-ID: <002101c0016d$05074740$0200000a@development1> From: "Daryl Chance" To: "FreeBSD IPFW" Subject: Fw: IPFW rule rewrite to be more "flexable" and "readable" Date: Tue, 8 Aug 2000 14:15:30 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG i typed the email address for this list wrongly, so i'm forwarding it on :) thanks, daryl chance ----- Original Message ----- From: "Daryl Chance" To: "FreeBSD Questions" ; "FreeBSD IPFW" Sent: Tuesday, August 08, 2000 2:12 PM Subject: IPFW rule rewrite to be more "flexable" and "readable" > Hi, > > I'm in the process of changing my ipfw rules to be a little more flexable > and readable. basiclaly i'm changing the rules from: > > ipfw add allow tcp from any to any 21 > to: > ipfw add allow tcp from any to any ftp > > I'm having a problem with ftp-data(port 20) though. ipfw won't accept it in > "" > or ''. it keeps thinking i'm trying to pass it a port range. Here's the > actual > message: > > $ ipfw add allow tcp from any "ftp-data" to any setup > ipfw: unknown port ``data'' > > > Is there ANY way to get this to work, or is this a known issue that needs to > be > fixed. > > Thanks, > Daryl Chance > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 8 12:28:16 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 239F837B65D for ; Tue, 8 Aug 2000 12:28:12 -0700 (PDT) (envelope-from nbm@sunesi.net) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13MF2Y-0004gZ-00; Tue, 08 Aug 2000 21:27:54 +0200 Date: Tue, 8 Aug 2000 21:27:54 +0200 From: Neil Blakey-Milner To: Daryl Chance Cc: FreeBSD IPFW Subject: Re: Fw: IPFW rule rewrite to be more "flexable" and "readable" Message-ID: <20000808212754.A17940@mithrandr.moria.org> References: <002101c0016d$05074740$0200000a@development1> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <002101c0016d$05074740$0200000a@development1>; from dchance@valuedata.net on Tue, Aug 08, 2000 at 02:15:30PM -0500 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue 2000-08-08 (14:15), Daryl Chance wrote: > > ipfw add allow tcp from any to any 21 > > to: > > ipfw add allow tcp from any to any ftp > > > > I'm having a problem with ftp-data(port 20) though. ipfw won't accept it > in > > "" > > or ''. it keeps thinking i'm trying to pass it a port range. Here's the > > actual > > message: > > > > $ ipfw add allow tcp from any "ftp-data" to any setup > > ipfw: unknown port ``data'' ipfw add allow tcp from any ftp\\-data to any setup or: ipfw add allow tcp from any "ftp\-data" to any setup It's mentioned in the man page. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 8 12:30:19 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from c014.sfo.cp.net (c014-h003.c014.sfo.cp.net [209.228.12.67]) by hub.freebsd.org (Postfix) with SMTP id 379A837BF10 for ; Tue, 8 Aug 2000 12:30:14 -0700 (PDT) (envelope-from dchance@valuedata.net) Received: (cpmta 901 invoked from network); 8 Aug 2000 12:30:08 -0700 Received: from m12hRs4n205.midsouth.rr.com (HELO development1) (24.95.125.205) by smtp.valuedata.net with SMTP; 8 Aug 2000 12:30:08 -0700 X-Sent: 8 Aug 2000 19:30:08 GMT Message-ID: <004801c0016e$e7766420$0200000a@development1> From: "Daryl Chance" To: "Neil Blakey-Milner" Cc: "FreeBSD Questions" , "FreeBSD IPFW" References: <002101c0016d$05074740$0200000a@development1> <20000808212754.A17940@mithrandr.moria.org> Subject: Re: Fw: IPFW rule rewrite to be more "flexable" and "readable" Date: Tue, 8 Aug 2000 14:28:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG i just noticed it....musta missed it :) thanks for the help though Daryl Chance ----- Original Message ----- From: "Neil Blakey-Milner" To: "Daryl Chance" Cc: "FreeBSD IPFW" Sent: Tuesday, August 08, 2000 2:27 PM Subject: Re: Fw: IPFW rule rewrite to be more "flexable" and "readable" > On Tue 2000-08-08 (14:15), Daryl Chance wrote: > > > ipfw add allow tcp from any to any 21 > > > to: > > > ipfw add allow tcp from any to any ftp > > > > > > I'm having a problem with ftp-data(port 20) though. ipfw won't accept it > > in > > > "" > > > or ''. it keeps thinking i'm trying to pass it a port range. Here's the > > > actual > > > message: > > > > > > $ ipfw add allow tcp from any "ftp-data" to any setup > > > ipfw: unknown port ``data'' > > ipfw add allow tcp from any ftp\\-data to any setup > or: > ipfw add allow tcp from any "ftp\-data" to any setup > > It's mentioned in the man page. > > Neil > -- > Neil Blakey-Milner > Sunesi Clinical Systems > nbm@mithrandr.moria.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 9 10:45: 3 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from tower.portal2.com (tower.portal2.com [202.77.223.18]) by hub.freebsd.org (Postfix) with SMTP id BF1EF37BE61 for ; Wed, 9 Aug 2000 10:44:58 -0700 (PDT) (envelope-from ymg@graffiti.net) Received: (qmail 69664 invoked by uid 1001); 9 Aug 2000 17:43:35 -0000 Message-ID: <20000809174335.69663.qmail@graffiti.net> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) From: "ym g" To: freebsd-ipfw@freebsd.org Date: Thu, 10 Aug 2000 01:43:35 +0800 Subject: Bridging firewall Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I am trying to setup a bridging firewall and have some questions. In a bridge, it doesn't seem neccasary to configure any IP's for the 2 interfaces. However, I would like to remotely manage my bridging firewall. If so, does the interface attached to the Internet [router] need the same address as the router or just another address from my segment. I think its the later but my bridging fundamentals are hazy :-( Would doing so allow me to telnet/ssh into the bridging firewall box or do I need another interface to get in and leave the original 2 interfaces unconfigured Also, if I have two different leased lines [different blocks], can I use a 4 port NIC like a D-LINK DFE 570 to setup a single machine as a bridging firewall for both networks [using different rulesets] Thanks, ymg -- _______________________________________________ Get your free email from http://www.graffiti.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 9 12:58: 7 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from stratus.cloudfactory.org (cloudfactory.org [205.179.129.18]) by hub.freebsd.org (Postfix) with ESMTP id C19DF37BF1E for ; Wed, 9 Aug 2000 12:57:59 -0700 (PDT) (envelope-from terrac@cloudfactory.org) Received: from localhost (terrac@localhost) by stratus.cloudfactory.org (8.8.8/8.8.7) with ESMTP id NAA17508 for ; Wed, 9 Aug 2000 13:00:35 -0700 Date: Wed, 9 Aug 2000 13:00:35 -0700 (PDT) From: TeRrAc To: FreeBSD IPFW list Subject: natd + IPFW Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, I am sure this question may heve been raised before, but I am new to this list and this is a concern of mine now so I will ask it anyways. I am setting up a aFreeBSD machine to act as a gateway between an RFC1918 network and the public internet. There are two interfaces on this machine and I believe I have set up natd correctly. In my tests to see if everything is running well I ping from a machine internally to a machine externally. The packets seem to get out but they do not return. The external interface is fxp0 and the internal fxp1. The internal interface is numbered 10.0.0.1 and has one machine sitting at 10.0.0.2. I am pretty sure, but not positive that this is because of the IPFW rules. Below are the relevant configurations that I have made. ---- changes to /etc/rc.conf gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_program="/sbin/natd" natd_enable="YES" natd_interface="fxp1" natd_flags="-l -u -m " Changes to /etc/services natd 8668/divert # Network Address Translation socket Changes to the kernel options IPFIREWALL options IPDIVERT options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE pseudo-device bpf I have also tried using the IPFW commands; /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any ---- If there is something glaringly obvious that I have overlooked, or to the contrary if I have options that I do need for this case (possibly IPFIREWALL_FORWARD) then please point them out. As I am simply attempting to get NAT working correctly right now I have set the firewall_type="OPEN". using the IPFW commands as well should effectivly disable all this and divert the packets sent form one interface to the nat daemon and pass them all. So my question, whats going wrong here? Thank you, and all support is appreciated. Terrac Skiens To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 9 13:16:34 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id DAE3837BA48 for ; Wed, 9 Aug 2000 13:16:29 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id OAA30948; Wed, 9 Aug 2000 14:15:01 -0600 (MDT) Date: Wed, 9 Aug 2000 14:14:57 -0600 (MDT) From: Nick Rogness To: TeRrAc Cc: FreeBSD IPFW list Subject: Re: natd + IPFW In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 9 Aug 2000, TeRrAc wrote: > > I have also tried using the IPFW commands; > /sbin/ipfw -f flush > /sbin/ipfw add divert natd all from any to any via ed0 ^^^^^ Should be outside interface /sbin/ipfw add divert natd all from any to any via fxp1 > ---- > If there is something glaringly obvious that I have overlooked, or to > the contrary if I have options that I do need for this case (possibly > IPFIREWALL_FORWARD) then please point them out. Don't need FORWARDING in this case. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 9 14:12:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from stratus.cloudfactory.org (cloudfactory.org [205.179.129.18]) by hub.freebsd.org (Postfix) with ESMTP id 781E537B702 for ; Wed, 9 Aug 2000 14:12:26 -0700 (PDT) (envelope-from terrac@cloudfactory.org) Received: from localhost (terrac@localhost) by stratus.cloudfactory.org (8.8.8/8.8.7) with ESMTP id OAA24145; Wed, 9 Aug 2000 14:14:29 -0700 Date: Wed, 9 Aug 2000 14:14:29 -0700 (PDT) From: TeRrAc To: Nick Rogness Cc: FreeBSD IPFW list Subject: Re: natd + IPFW In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am sorry. Yes I had done this, however in composing the mail I copied straight fromteh natd man page. If I were to build a custom rc.firewall script to do this job would it need more than: --- flush divert natd all from any to any via fxp1 allow ip from any to any allow icmp from any to any --- ? Also, would forwarding keep packets from getting routed back to the source? Or are they possibly getting stopped before they reach their destination? Terrac Skiens On Wed, 9 Aug 2000, Nick Rogness wrote: > On Wed, 9 Aug 2000, TeRrAc wrote: > > > > > I have also tried using the IPFW commands; > > /sbin/ipfw -f flush > > /sbin/ipfw add divert natd all from any to any via ed0 > ^^^^^ > Should be outside interface > > /sbin/ipfw add divert natd all from any to any via fxp1 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 9 14:34:54 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 6D61037B62B for ; Wed, 9 Aug 2000 14:34:51 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id PAA78384; Wed, 9 Aug 2000 15:34:02 -0600 (MDT) Date: Wed, 9 Aug 2000 15:34:02 -0600 (MDT) From: Nick Rogness To: TeRrAc Cc: FreeBSD IPFW list Subject: Re: natd + IPFW In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 9 Aug 2000, TeRrAc wrote: > I am sorry. Yes I had done this, however in composing the mail I copied > straight fromteh natd man page. > > If I were to build a custom rc.firewall script to do this job would it > need more than: > --- > flush > divert natd all from any to any via fxp1 > allow ip from any to any > allow icmp from any to any > --- Is natd running? # ps -auxww |grep natd|grep -v grep What does your firewall rules look like? # ipfw -a l > ? > Also, would forwarding keep packets from getting routed back to the > source? Or are they possibly getting stopped before they reach their > destination? No, unless you are using forwarding within the firewall. > > On Wed, 9 Aug 2000, Nick Rogness wrote: > > > On Wed, 9 Aug 2000, TeRrAc wrote: > > > > > > > > I have also tried using the IPFW commands; > > > /sbin/ipfw -f flush > > > /sbin/ipfw add divert natd all from any to any via ed0 > > ^^^^^ > > Should be outside interface > > > > /sbin/ipfw add divert natd all from any to any via fxp1 > > > > Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 9 14:45:44 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from stratus.cloudfactory.org (cloudfactory.org [205.179.129.18]) by hub.freebsd.org (Postfix) with ESMTP id 17D0337BB48 for ; Wed, 9 Aug 2000 14:45:37 -0700 (PDT) (envelope-from terrac@cloudfactory.org) Received: from localhost (terrac@localhost) by stratus.cloudfactory.org (8.8.8/8.8.7) with ESMTP id OAA26565; Wed, 9 Aug 2000 14:47:39 -0700 Date: Wed, 9 Aug 2000 14:47:39 -0700 (PDT) From: TeRrAc To: Nick Rogness Cc: FreeBSD IPFW list Subject: Re: natd + IPFW In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Natd is in fadct running, my current rulset looks like this (Kinda funky right now) 00100 1848 185208 divert 8668 ip from any to any via fxp1 00300 1760 179928 allow ip from any to any via fxp1 00400 19076 1547736 allow ip from any to any via fxp0 00500 0 0 allow icmp from any to any via fxp0 00600 0 0 allow icmp from any to any via fxp1 65535 83 5902 deny ip from any to any I know that is a bass-ackwards rulset, usually I have been testing it like: 00100 1849 185456 divert 8668 ip from any to any via fxp1 00500 32 2404 allow ip from any to any 00600 0 0 allow ip from any to any 65535 83 5902 deny ip from any to any It seems logical enough that all packets should first be diverted through natd (the 8668) through the interface, then passed without regard through the rest of the system. Do i need another divert statement on fxp0 to bring them back? Thanks, Terrac Skiens On Wed, 9 Aug 2000, Nick Rogness wrote: > On Wed, 9 Aug 2000, TeRrAc wrote: > > > I am sorry. Yes I had done this, however in composing the mail I copied > > straight fromteh natd man page. > > > > If I were to build a custom rc.firewall script to do this job would it > > need more than: > > --- > > flush > > divert natd all from any to any via fxp1 > > allow ip from any to any > > allow icmp from any to any > > --- > > Is natd running? > > # ps -auxww |grep natd|grep -v grep > > What does your firewall rules look like? > > # ipfw -a l > > > > > ? > > Also, would forwarding keep packets from getting routed back to the > > source? Or are they possibly getting stopped before they reach their > > destination? > > No, unless you are using forwarding within the firewall. > > > > > > On Wed, 9 Aug 2000, Nick Rogness wrote: > > > > > On Wed, 9 Aug 2000, TeRrAc wrote: > > > > > > > > > > > I have also tried using the IPFW commands; > > > > /sbin/ipfw -f flush > > > > /sbin/ipfw add divert natd all from any to any via ed0 > > > ^^^^^ > > > Should be outside interface > > > > > > /sbin/ipfw add divert natd all from any to any via fxp1 > > > > > > > > > Nick Rogness > - Drive defensively. Buy a tank. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 9 15: 6:38 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 81B9A37B561 for ; Wed, 9 Aug 2000 15:06:33 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id QAA06380; Wed, 9 Aug 2000 16:05:14 -0600 (MDT) Date: Wed, 9 Aug 2000 16:05:14 -0600 (MDT) From: Nick Rogness To: TeRrAc Cc: FreeBSD IPFW list Subject: Re: natd + IPFW In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 9 Aug 2000, TeRrAc wrote: > Natd is in fadct running, With what options? It should be: /sbin/natd -n fxp1 > > > I know that is a bass-ackwards rulset, usually I have been testing it > like: > 00100 1849 185456 divert 8668 ip from any to any via fxp1 > 00500 32 2404 allow ip from any to any > 00600 0 0 allow ip from any to any > 65535 83 5902 deny ip from any to any This looks OK...if fxp1 is indeed your outside interface. > > It seems logical enough that all packets should first be diverted > through natd (the 8668) through the interface, then passed without regard > through the rest of the system. They are sent through Natd, then re-injected back into the firewall at the next rule number. > Do i need another divert statement on fxp0 to bring them back? No. The above ruleset should work. How are you testing to see if it works. Can you get out from your BSD machine without using nat? Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 9 15:59:51 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from stratus.cloudfactory.org (cloudfactory.org [205.179.129.18]) by hub.freebsd.org (Postfix) with ESMTP id D7D4937B626 for ; Wed, 9 Aug 2000 15:59:48 -0700 (PDT) (envelope-from terrac@cloudfactory.org) Received: from localhost (terrac@localhost) by stratus.cloudfactory.org (8.8.8/8.8.7) with ESMTP id QAA05642; Wed, 9 Aug 2000 16:01:53 -0700 Date: Wed, 9 Aug 2000 16:01:53 -0700 (PDT) From: TeRrAc To: Nick Rogness Cc: FreeBSD IPFW list Subject: Re: natd + IPFW In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have the setting in rc.conf ------ natd_program="/sbin/natd" natd_enable="YES" # Turns on natd and sets flag for IPWF natd_interface="fxp1" # Sets interface to bind natd to natd_flags="-l -u -m " # Additional flags for natd ----- Terrac Skiens On Wed, 9 Aug 2000, Nick Rogness wrote: > On Wed, 9 Aug 2000, TeRrAc wrote: > > > Natd is in fadct running, > > With what options? It should be: /sbin/natd -n fxp1 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 9 19:48: 2 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from stratus.cloudfactory.org (cloudfactory.org [205.179.129.18]) by hub.freebsd.org (Postfix) with ESMTP id E4A9237B52B for ; Wed, 9 Aug 2000 19:47:58 -0700 (PDT) (envelope-from terrac@cloudfactory.org) Received: from localhost (terrac@localhost) by stratus.cloudfactory.org (8.8.8/8.8.7) with ESMTP id TAA18943; Wed, 9 Aug 2000 19:50:04 -0700 Date: Wed, 9 Aug 2000 19:50:04 -0700 (PDT) From: TeRrAc To: Nick Rogness Cc: FreeBSD IPFW list Subject: Re: natd + IPFW In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG So from all the replies I have recieved, i get the feeling that my natd is setup correctly, and the deault rules are okie.. I am wondering what it could be that is keeping my hosts on the inside from pining the outside world. Undoubtedly it is something really simple, as are most things. the only question is what is it? agian my config is: ---- KERNEL: options IPFIREWALL # IP Firewall - added for NAT options IPDIVERT # IP diverting added for NAT options IPFIREWALL_FORWARD # added to try and get sanity? options IPFIREWALL_VERBOSE # IP packet logging - added for IPFW pseudo-device bpf #Berkeley packet filter /etc/rc.conf natd_program="/sbin/natd" # Path to natd, if different natd_enable="YES" # Turns on natd and sets flag for IPWF natd_interface="fxp1" # Sets interface to bind natd to natd_flags="-l -u -m " # Additional flags for natd gateway_enable="YES" # This system is used as a gateway firewall_enable="YES" # Enable IPFW packet filtering firewall_type="OPEN" # Stes a generic type of Firewall --- With additional IPFW command -f flush add divert natd all from any to any via fxp1 add pass all from any to any So, am I missing something? would the 'IPFIREWALL_FORWARD' option in the kernel keep from letting this through.. to my suspition it shouldn't..? I am confused, really stumped, two days into this and boggled. Any and all help appreciated. Thanks. Terrac Skiens To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 9 21:10:53 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 439AE37B84A for ; Wed, 9 Aug 2000 21:10:50 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id WAA53762; Wed, 9 Aug 2000 22:10:02 -0600 (MDT) Date: Wed, 9 Aug 2000 22:10:02 -0600 (MDT) From: Nick Rogness To: TeRrAc Cc: FreeBSD IPFW list Subject: Re: natd + IPFW In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 9 Aug 2000, TeRrAc wrote: > So from all the replies I have recieved, i get the feeling that my natd > is setup correctly, and the deault rules are okie.. > I am wondering what it could be that is keeping my hosts on the inside > from pining the outside world. > Undoubtedly it is something really simple, as are most things. the only > question is what is it? To see what is causing your problems, Take the 'natd_flag' line out of rc.conf. I don't think they would be the culprit but I have never used the "-u" option so I don't know what effects that would cause, plus it would take another "possible" out of the equation. IPFIREWALL_FORWARD should not be causing the problem. Also, Try pinging from your BSD machine to the outside without the divert rule in the firewall, just to see if connectivity is working. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 10 0: 4:14 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id CE65137B80E for ; Thu, 10 Aug 2000 00:04:11 -0700 (PDT) (envelope-from cjc@149.211.6.64.reflexcom.com) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 10 Aug 2000 00:03:08 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id AAA07377; Thu, 10 Aug 2000 00:04:09 -0700 (PDT) (envelope-from cjc) Date: Thu, 10 Aug 2000 00:04:09 -0700 From: "Crist J . Clark" To: ym g Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Bridging firewall Message-ID: <20000810000409.B5405@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20000809174335.69663.qmail@graffiti.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000809174335.69663.qmail@graffiti.net>; from ymg@graffiti.net on Thu, Aug 10, 2000 at 01:43:35AM +0800 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [Please put in newlines at about 72 columns or so. Each of your paragraphs is on one line.] On Thu, Aug 10, 2000 at 01:43:35AM +0800, ym g wrote: > Hi, I am trying to setup a bridging firewall and have some questions. > > In a bridge, it doesn't seem neccasary to configure any IP's for the 2 interfaces. However, I would like to remotely manage my bridging firewall. If so, does the interface attached to the Internet [router] need the same address as the router or just another address from my segment. I think its the later but my bridging fundamentals are hazy :-( Give the machine a unique IP address on your network. It really doesn't matter which interface gets the address, but for asthetic reasons, I'd put it on the "outer" interface. > Would doing so allow me to telnet/ssh into the bridging firewall box or do I need another interface to get in and leave the original 2 interfaces unconfigured No, just assign an IP to one interface. > Also, if I have two different leased lines [different blocks], can I use a 4 port NIC like a D-LINK DFE 570 to setup a single machine as a bridging firewall for both networks [using different rulesets] Well, now it sounds like you would need to be doing routing since I doubt different lines will be coming in on the same logical network. I wouldn't try to do routing and bridging on one box. -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 10 1:50:26 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 6083C37B6FD for ; Thu, 10 Aug 2000 01:50:21 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.9.3/1.13) id LAA89973; Thu, 10 Aug 2000 11:48:36 +0300 (EEST) Date: Thu, 10 Aug 2000 11:48:36 +0300 From: Ruslan Ermilov To: Nick Rogness Cc: TeRrAc , FreeBSD IPFW list Subject: Re: natd + IPFW Message-ID: <20000810114836.A88858@sunbay.com> Mail-Followup-To: Nick Rogness , TeRrAc , FreeBSD IPFW list References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from nick@rapidnet.com on Wed, Aug 09, 2000 at 10:10:02PM -0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Aug 09, 2000 at 10:10:02PM -0600, Nick Rogness wrote: > On Wed, 9 Aug 2000, TeRrAc wrote: > > > So from all the replies I have recieved, i get the feeling that my natd > > is setup correctly, and the deault rules are okie.. > > I am wondering what it could be that is keeping my hosts on the inside > > from pining the outside world. > > Undoubtedly it is something really simple, as are most things. the only > > question is what is it? > > > To see what is causing your problems, Take the 'natd_flag' line > out of rc.conf. I don't think they would be the culprit but I > have never used the "-u" option so I don't know what effects that > would cause, plus it would take another "possible" out of the > equation. > The -u option tells natd(8) to NAT only RFC 1918 addresses. I would be interested in seeing the output of `ifconfig -a inet' and `sysctl net.inet.ip' commands and would recommend running natd(8) manually with -v option. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 10 4:18:26 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from elmls01.ce.mediaone.net (elmls01.ce.mediaone.net [24.131.128.25]) by hub.freebsd.org (Postfix) with ESMTP id C77C237BECD for ; Thu, 10 Aug 2000 04:18:19 -0700 (PDT) (envelope-from bitsurfer@mediaone.net) Received: from bugsbunny (ro04-204-210-189-38.ce.mediaone.net [204.210.189.38]) by elmls01.ce.mediaone.net (8.8.7/8.8.7) with SMTP id GAA02327; Thu, 10 Aug 2000 06:22:24 -0500 (CDT) From: "Chris Silva" To: Subject: IRC identing from client through FBSD firewall. Date: Thu, 10 Aug 2000 06:20:22 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG When I access IRC via a windows box on my internal network, going trough a cable modem, I get this error: natd[162]: failed to write packet back (Permission denied) My main concern, it to use IRC on the intranet boxen and have auth work - so I can access EFNet and DALNet. This happens when identd is access. I can get out doing everything I need to, but I just cant get identd to work. I am using ident2 from the ports, and have set the auth line in the inetd.conf file. Sorry for all the stuff here, but I wanted to give you all everything I possibly could - and feel free add, subtract or point out all that is wrong. I'm open to ALL suggestions. Below are the stats you mat need: Firewall - FBSD 4.1-STABLE ---------------- rc.conf # -- sysinstall generated deltas -- # network_interfaces="fxp0 xl0 lo0" ifconfig_fxp0="inet 10.3.1.1 netmask 255.0.0.0" ifconfig_xl0="DHCP" hostname="firewall" gateway_enable="YES" defaultrouter="NO" usbd_enable="YES" inetd_flags="wW -R 1024" # Optional flags to inetd ntpdate_flags="ncar.ucar.edu" ntpdate_enable="YES" tcp_extensions="YES" firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="simple" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # natd_enable="YES" # Enable natd (if firewall_enable == YES). natd_interface="xl0" # Public interface or IPaddress to use. natd_flags="-f /etc/natd.conf" # Additional flags for natd. portmap_enable="NO" # Run the portmapper service (or NO). ------------------ rc.firewall (simple) # set these to your outside interface network and netmask and ip oif="xl0" onet="204.210.189.0" omask="255.255.255.0" oip="204.210.189.38" # set these to your inside interface network and netmask and ip iif="fxp0" inet="10.3.1.0" imask="255.0.0.0" iip="10.3.1.1" # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} #${fwcmd} add pass all from ${inet}:${imask} to ${inet}:${inet} # Stop RFC1918 nets on the outside interface #${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} #${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} #${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} #${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} #${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} #${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside #${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${oip} ${fwcmd} add pass udp from ${oip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to ${oip} ${fwcmd} add pass udp from ${oip} to any 123 # Allow SSH logins nad log them ${fwcmd} add pass tcp from any to any 22 in via ${oip} setup # ICMP RULES # Allow all ICMP packets on internal interface ${fwcmd} add pass icmp from any to any via ${iif} # Allow outgoing pings but not incoming ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add deny icmp from any to any # MISCELLANEOUS RULES # Reject broadcasts from outside ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} # Reject and log SMB connections on outside interface ${fwcmd} add 64000 deny log udp from any to any 137-139 in via ${oif} # Reject and log all other connections from outside interface ${fwcmd} add 65000 deny ip from any to any via ${oif} ------------------ ipfw list 00050 divert 8668 ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 10.0.0.0/8 to any in recv xl0 00400 deny ip from 204.210.189.0/24 to any in recv fxp0 00500 deny ip from 0.0.0.0/8 to any via xl0 00600 deny ip from any to 0.0.0.0/8 via xl0 00700 deny ip from 169.254.0.0/16 to any via xl0 00800 deny ip from any to 169.254.0.0/16 via xl0 00900 deny ip from 192.0.2.0/24 to any via xl0 01000 deny ip from any to 192.0.2.0/24 via xl0 01100 deny ip from 224.0.0.0/4 to any via xl0 01200 deny ip from any to 224.0.0.0/4 via xl0 01300 deny ip from 240.0.0.0/4 to any via xl0 01400 deny ip from any to 240.0.0.0/4 via xl0 01500 allow tcp from any to any established 01600 allow ip from any to any frag 01700 allow tcp from any to 204.210.189.38 25 setup 01800 allow tcp from any to 204.210.189.38 53 setup 01900 allow udp from any to 204.210.189.38 53 02000 allow udp from 204.210.189.38 53 to any 02100 allow tcp from any to 204.210.189.38 80 setup 02200 allow tcp from any to any setup 02300 allow udp from any 53 to 204.210.189.38 02400 allow udp from 204.210.189.38 to any 53 02500 allow udp from any 123 to 204.210.189.38 02600 allow udp from 204.210.189.38 to any 123 02700 allow tcp from any to any 22 in recv 204.210.189.38 setup 02800 allow icmp from any to any via fxp0 02900 allow icmp from any to any out xmit xl0 icmptype 8 03000 allow icmp from any to any in recv xl0 icmptype 0 03100 allow icmp from any to any via xl0 icmptype 3,4,11,12 03200 deny icmp from any to any 63000 deny ip from any to 0.0.0.255:0.0.0.255 in recv xl0 64000 deny log udp from any to any 137-139 in recv xl0 65000 deny ip from any to any via xl0 65535 allow ip from any to any ------------------ ipfw show 00050 2165 736719 divert 8668 ip from any to any via xl0 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 10.0.0.0/8 to any in recv xl0 00400 0 0 deny ip from 204.210.189.0/24 to any in recv fxp0 00500 0 0 deny ip from 0.0.0.0/8 to any via xl0 00600 0 0 deny ip from any to 0.0.0.0/8 via xl0 00700 0 0 deny ip from 169.254.0.0/16 to any via xl0 00800 0 0 deny ip from any to 169.254.0.0/16 via xl0 00900 0 0 deny ip from 192.0.2.0/24 to any via xl0 01000 0 0 deny ip from any to 192.0.2.0/24 via xl0 01100 0 0 deny ip from 224.0.0.0/4 to any via xl0 01200 0 0 deny ip from any to 224.0.0.0/4 via xl0 01300 0 0 deny ip from 240.0.0.0/4 to any via xl0 01400 0 0 deny ip from any to 240.0.0.0/4 via xl0 01500 3151 1344439 allow tcp from any to any established 01600 0 0 allow ip from any to any frag 01700 0 0 allow tcp from any to 204.210.189.38 25 setup 01800 0 0 allow tcp from any to 204.210.189.38 53 setup 01900 0 0 allow udp from any to 204.210.189.38 53 02000 0 0 allow udp from 204.210.189.38 53 to any 02100 0 0 allow tcp from any to 204.210.189.38 80 setup 02200 16 828 allow tcp from any to any setup 02300 22 3967 allow udp from any 53 to 204.210.189.38 02400 176 13329 allow udp from 204.210.189.38 to any 53 02500 0 0 allow udp from any 123 to 204.210.189.38 02600 0 0 allow udp from 204.210.189.38 to any 123 02700 0 0 allow tcp from any to any 22 in recv 204.210.189.38 setup 02800 16 944 allow icmp from any to any via fxp0 02900 13 900 allow icmp from any to any out xmit xl0 icmptype 8 03000 6 408 allow icmp from any to any in recv xl0 icmptype 0 03100 11 616 allow icmp from any to any via xl0 icmptype 3,4,11,12 03200 16 1344 deny icmp from any to any 63000 0 0 deny ip from any to 0.0.0.255:0.0.0.255 in recv xl0 64000 0 0 deny log udp from any to any 137-139 in recv xl0 65000 150 24958 deny ip from any to any via xl0 65535 588 61233 allow ip from any to any ------------------ natd.conf # This is /etc/natd.conf - This is used for redirects. See below. # dynamic yes use_sockets yes same_ports yes ------------------ kernel (Only needed info) options IPFIREWALL_FORWARD options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT pseudo-device bpf #Berkeley packet filter Best regards, Chris ______________________________________________________________________ DH/DSS Fingerprint = 8265 0BB8 2C7D A376 3CCD 6858 8630 0E47 194A 0318 RSA Key Fingerprint = 4390 44E5 E316 F2AA A11E 5755 F3F9 D69B PGP Mail encouraged / preferred - keys available on common key servers ______________________________________________________________________ Proud supporter of FreeBSD, NetBSD, OpenBSD, and BSDi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 10 8:49:47 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 929C437B52D for ; Thu, 10 Aug 2000 08:49:38 -0700 (PDT) (envelope-from cjc@149.211.6.64.reflexcom.com) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 10 Aug 2000 08:48:33 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id IAA13719; Thu, 10 Aug 2000 08:49:24 -0700 (PDT) (envelope-from cjc) Date: Thu, 10 Aug 2000 08:49:19 -0700 From: "Crist J . Clark" To: Chris Silva Cc: FreeBSD-IPFW@FreeBSD.ORG Subject: Re: IRC identing from client through FBSD firewall. Message-ID: <20000810084919.E5405@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from bitsurfer@mediaone.net on Thu, Aug 10, 2000 at 06:20:22AM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Aug 10, 2000 at 06:20:22AM -0500, Chris Silva wrote: > When I access IRC via a windows box on my internal network, going trough a > cable modem, I get this error: > > natd[162]: failed to write packet back (Permission denied) > > My main concern, it to use IRC on the intranet boxen and have auth work - so > I can access EFNet and DALNet. > > This happens when identd is access. I can get out doing everything I need > to, but I just cant get identd to work. [snip] > ------------------ ipfw list > 00050 divert 8668 ip from any to any via xl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 10.0.0.0/8 to any in recv xl0 > 00400 deny ip from 204.210.189.0/24 to any in recv fxp0 > 00500 deny ip from 0.0.0.0/8 to any via xl0 > 00600 deny ip from any to 0.0.0.0/8 via xl0 > 00700 deny ip from 169.254.0.0/16 to any via xl0 > 00800 deny ip from any to 169.254.0.0/16 via xl0 > 00900 deny ip from 192.0.2.0/24 to any via xl0 > 01000 deny ip from any to 192.0.2.0/24 via xl0 > 01100 deny ip from 224.0.0.0/4 to any via xl0 > 01200 deny ip from any to 224.0.0.0/4 via xl0 > 01300 deny ip from 240.0.0.0/4 to any via xl0 > 01400 deny ip from any to 240.0.0.0/4 via xl0 > 01500 allow tcp from any to any established > 01600 allow ip from any to any frag > 01700 allow tcp from any to 204.210.189.38 25 setup > 01800 allow tcp from any to 204.210.189.38 53 setup > 01900 allow udp from any to 204.210.189.38 53 > 02000 allow udp from 204.210.189.38 53 to any > 02100 allow tcp from any to 204.210.189.38 80 setup > 02200 allow tcp from any to any setup > 02300 allow udp from any 53 to 204.210.189.38 > 02400 allow udp from 204.210.189.38 to any 53 > 02500 allow udp from any 123 to 204.210.189.38 > 02600 allow udp from 204.210.189.38 to any 123 > 02700 allow tcp from any to any 22 in recv 204.210.189.38 setup > 02800 allow icmp from any to any via fxp0 > 02900 allow icmp from any to any out xmit xl0 icmptype 8 > 03000 allow icmp from any to any in recv xl0 icmptype 0 > 03100 allow icmp from any to any via xl0 icmptype 3,4,11,12 > 03200 deny icmp from any to any > 63000 deny ip from any to 0.0.0.255:0.0.0.255 in recv xl0 > 64000 deny log udp from any to any 137-139 in recv xl0 > 65000 deny ip from any to any via xl0 > 65535 allow ip from any to any Well, I don't see any rules about allowing incoming ident connections (113/tcp). I'll assume you know how to set up the firewall box to be an auth proxy for the Win machine since I wouldn't know where to start. -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 10 10:12:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from lunatic.oneinsane.net (lunatic.oneinsane.net [207.113.133.231]) by hub.freebsd.org (Postfix) with ESMTP id 8C53637B957 for ; Thu, 10 Aug 2000 10:12:26 -0700 (PDT) (envelope-from insane@lunatic.oneinsane.net) Received: by lunatic.oneinsane.net (Postfix, from userid 1000) id 0E46D15510; Thu, 10 Aug 2000 10:12:25 -0700 (PDT) Date: Thu, 10 Aug 2000 10:12:24 -0700 From: Ron 'The InSaNe One' Rosson To: freebsd-ipfw@freebsd.org Subject: Ipfilter & Socks5 Message-ID: <20000810101224.A81194@lunatic.oneinsane.net> Reply-To: Ron Rosson Mail-Followup-To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD lunatic.oneinsane.net 4.0-STABLE X-Moon: The Moon is Waxing Gibbous (83% of Full) X-Opinion: What you read here is my IMHO X-WWW: http://www.oneinsane.net X-PGP-KEY: http://www.oneinsane.net/~insane/insane2-pgp5i.txt X-Uptime: 10:10AM up 8 days, 17:49, 1 user, load averages: 1.17, 1.24, 1.15 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am trying to figure the proper way to impliment SOCKS5 with an IPFilter firewall. I seem to be one of the lucky ones that does not have to use NAT. I have a network routed subnet of /28. If anyone has a working set of the basic rules for this type of configuration and how there socks is configured I would be interested. TIA -- ------------------------------------------------------------------------------ Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------------------ Excuse me, ma'am, you seem to be rationally challenged... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 10 13:47:51 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from stratus.cloudfactory.org (cloudfactory.org [205.179.129.18]) by hub.freebsd.org (Postfix) with ESMTP id E260537BABD for ; Thu, 10 Aug 2000 13:47:41 -0700 (PDT) (envelope-from terrac@cloudfactory.org) Received: from localhost (terrac@localhost) by stratus.cloudfactory.org (8.8.8/8.8.7) with ESMTP id NAA12687; Thu, 10 Aug 2000 13:49:06 -0700 Date: Thu, 10 Aug 2000 13:49:06 -0700 (PDT) From: TeRrAc To: Ruslan Ermilov Cc: Nick Rogness , FreeBSD IPFW list Subject: Re: natd + IPFW In-Reply-To: <20000810114836.A88858@sunbay.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thank you for the help, I will try these options when I get back home and can do a full test fom both sides. t e r r a c On Thu, 10 Aug 2000, Ruslan Ermilov wrote: > On Wed, Aug 09, 2000 at 10:10:02PM -0600, Nick Rogness wrote: > > > > > > To see what is causing your problems, Take the 'natd_flag' line > > out of rc.conf. I don't think they would be the culprit but I > > have never used the "-u" option so I don't know what effects that > > would cause, plus it would take another "possible" out of the > > equation. > > > The -u option tells natd(8) to NAT only RFC 1918 addresses. > > I would be interested in seeing the output of `ifconfig -a inet' and > `sysctl net.inet.ip' commands and would recommend running natd(8) > manually with -v option. > > > Cheers, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 10 15:45:21 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from stratus.cloudfactory.org (cloudfactory.org [205.179.129.18]) by hub.freebsd.org (Postfix) with ESMTP id 5D46637B5F7 for ; Thu, 10 Aug 2000 15:45:18 -0700 (PDT) (envelope-from terrac@cloudfactory.org) Received: from localhost (terrac@localhost) by stratus.cloudfactory.org (8.8.8/8.8.7) with ESMTP id PAA27283; Thu, 10 Aug 2000 15:47:30 -0700 Date: Thu, 10 Aug 2000 15:47:30 -0700 (PDT) From: TeRrAc To: Nick Rogness Cc: FreeBSD IPFW list Subject: Re: natd + IPFW (I think i have the solution) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi there, In re-reading this mail from Nick I see what my problem might be. My outside interface is fxp0, and the inside is fxp1. The packet flow goes like this [DSL Gateway] <---> [fxp0 <--> fxp1] <----> {the internal network} I had the IPFW diverting all packets through fxp1, and it appears that I need to have them diverted through fxp0 instead. I will not know of course until I get home and can try it out. In the meantime of course, can anyone cofirm or deny this? t e r r a c " and they call *ME* strange " On Wed, 9 Aug 2000, Nick Rogness wrote: > On Wed, 9 Aug 2000, TeRrAc wrote: > > > Natd is in fadct running, > > With what options? It should be: /sbin/natd -n fxp1 > > > > > > > I know that is a bass-ackwards rulset, usually I have been testing it > > like: > > 00100 1849 185456 divert 8668 ip from any to any via fxp1 > > 00500 32 2404 allow ip from any to any > > 00600 0 0 allow ip from any to any > > 65535 83 5902 deny ip from any to any > > > This looks OK...if fxp1 is indeed your outside interface. > > > > > It seems logical enough that all packets should first be diverted > > through natd (the 8668) through the interface, then passed without regard > > through the rest of the system. > > They are sent through Natd, then re-injected back into the > firewall at the next rule number. > > > > Do i need another divert statement on fxp0 to bring them back? > > No. The above ruleset should work. How are you testing to see if > it works. Can you get out from your BSD machine without using > nat? > > Nick Rogness > - Drive defensively. Buy a tank. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 10 18:16:24 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 6B21C37BBC5 for ; Thu, 10 Aug 2000 18:16:21 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id VAA03237; Thu, 10 Aug 2000 21:16:05 -0400 (EDT) Date: Thu, 10 Aug 2000 21:16:04 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: cjclark@alum.mit.edu Cc: ym g , freebsd-ipfw@FreeBSD.ORG Subject: Re: Bridging firewall In-Reply-To: <20000810000409.B5405@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I do a bridging firewall in front of slashdot. the bridge can only be a bridge, the interfaces can answer to addresses, but doing routing on it is a *bad* idea. for more particulars, email me privately. -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 10 Aug 2000, Crist J . Clark wrote: > [Please put in newlines at about 72 columns or so. Each of your > paragraphs is on one line.] > > On Thu, Aug 10, 2000 at 01:43:35AM +0800, ym g wrote: > > Hi, I am trying to setup a bridging firewall and have some questions. > > > > In a bridge, it doesn't seem neccasary to configure any IP's for the 2 interfaces. However, I would like to remotely manage my bridging firewall. If so, does the interface attached to the Internet [router] need the same address as the router or just another address from my segment. I think its the later but my bridging fundamentals are hazy :-( > > Give the machine a unique IP address on your network. It really > doesn't matter which interface gets the address, but for asthetic > reasons, I'd put it on the "outer" interface. > > > Would doing so allow me to telnet/ssh into the bridging firewall box or do I need another interface to get in and leave the original 2 interfaces unconfigured > > No, just assign an IP to one interface. > > > Also, if I have two different leased lines [different blocks], can I use a 4 port NIC like a D-LINK DFE 570 to setup a single machine as a bridging firewall for both networks [using different rulesets] > > Well, now it sounds like you would need to be doing routing since I > doubt different lines will be coming in on the same logical > network. I wouldn't try to do routing and bridging on one box. > -- > Crist J. Clark cjclark@alum.mit.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Aug 11 14:13:55 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 7996237B769 for ; Fri, 11 Aug 2000 14:13:52 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id PAA74782; Fri, 11 Aug 2000 15:12:58 -0600 (MDT) Date: Fri, 11 Aug 2000 15:12:58 -0600 (MDT) From: Nick Rogness To: TeRrAc Cc: FreeBSD IPFW list Subject: Re: natd + IPFW (I think i have the solution) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 10 Aug 2000, TeRrAc wrote: > Hi there, > > In re-reading this mail from Nick I see what my problem might be. My > outside interface is fxp0, and the inside is fxp1. > The packet flow goes like this > > [DSL Gateway] <---> [fxp0 <--> fxp1] <----> {the internal network} > I had the IPFW diverting all packets through fxp1, and it appears that I > need to have them diverted through fxp0 instead. I will not know of course > until I get home and can try it out. > In the meantime of course, can anyone cofirm or deny this? I will confirm that. In your setup divert should be running on your outside interface.. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Aug 11 14:33:56 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from chicago.ADMis.com (chicago.admis.com [208.192.111.99]) by hub.freebsd.org (Postfix) with SMTP id 6E25C37BA0E for ; Fri, 11 Aug 2000 14:33:36 -0700 (PDT) (envelope-from chris.silva@admis.com) Received: From CHICAGO.ADMIS.COM (182.168.181.229[182.168.181.229 port:1677]) by chicago.ADMis.com (Mail essentials server 2.421) with SMTP id: <12799@chicago.ADMis.com> for 8/11/00 4:35:16 PM -0500 Received: by chicago.admis.com with Internet Mail Service (5.5.2650.21) id ; Fri, 11 Aug 2000 16:35:16 -0500 Message-ID: <7353575D98E0D311834F00508BA0FAC91CECDA@chicago.admis.com> From: Chris Silva To: 'Nick Rogness' , TeRrAc Cc: FreeBSD IPFW list Subject: RE: natd + IPFW (I think i have the solution) Date: Fri, 11 Aug 2000 16:35:14 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C003DC.09444472" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C003DC.09444472 Content-Type: text/plain; charset="iso-8859-1" If I recall correct, DIVERT is always done on ${oif} = fxp0 for you. -----Original Message----- From: Nick Rogness [mailto:nick@rapidnet.com] Sent: Friday, August 11, 2000 4:13 PM To: TeRrAc Cc: FreeBSD IPFW list Subject: Re: natd + IPFW (I think i have the solution) On Thu, 10 Aug 2000, TeRrAc wrote: > Hi there, > > In re-reading this mail from Nick I see what my problem might be. My > outside interface is fxp0, and the inside is fxp1. > The packet flow goes like this > > [DSL Gateway] <---> [fxp0 <--> fxp1] <----> {the internal network} > I had the IPFW diverting all packets through fxp1, and it appears that I > need to have them diverted through fxp0 instead. I will not know of course > until I get home and can try it out. > In the meantime of course, can anyone cofirm or deny this? I will confirm that. In your setup divert should be running on your outside interface.. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message ------_=_NextPart_001_01C003DC.09444472 Content-Type: text/html; charset="iso-8859-1" RE: natd + IPFW (I think i have the solution)

If I recall correct, DIVERT is always done on ${oif} = fxp0 for you.

-----Original Message-----
From: Nick Rogness [mailto:nick@rapidnet.com]
Sent: Friday, August 11, 2000 4:13 PM
To: TeRrAc
Cc: FreeBSD IPFW list
Subject: Re: natd + IPFW (I think i have the solution)


On Thu, 10 Aug 2000, TeRrAc wrote:

>  Hi there,
>
>   In re-reading this mail from Nick I see what my problem might be. My
> outside interface is fxp0, and the inside is fxp1.
>   The packet flow goes like this
>
> [DSL Gateway] <---> [fxp0 <--> fxp1] <----> {the internal network}
>   I had the IPFW diverting all packets through fxp1, and it appears that I
> need to have them diverted through fxp0 instead. I will not know of course
> until I get home and can try it out.
>  In the meantime of course, can anyone cofirm or deny this?


        I will confirm that.  In your setup divert should be running on
        your outside interface..

Nick Rogness
- Drive defensively.  Buy a tank.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

------_=_NextPart_001_01C003DC.09444472-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message