From owner-freebsd-questions Thu Feb 18 22:13:58 1999 Delivered-To: freebsd-questions@freebsd.org Received: from stardust.bzzzz.com (stardust.bzzzz.com [209.90.68.199]) by hub.freebsd.org (Postfix) with ESMTP id 7E54A10E69 for ; Thu, 18 Feb 1999 22:13:55 -0800 (PST) (envelope-from clubkid@bzzzz.com) Received: from localhost (clubkid@localhost) by stardust.bzzzz.com (8.9.3/8.9.3) with ESMTP id XAA00388 for ; Thu, 18 Feb 1999 23:13:55 -0700 (MST) Date: Thu, 18 Feb 1999 23:13:55 -0700 (MST) From: Brian Budnick To: freebsd-questions@FreeBSD.ORG Subject: Simple FIREWALL Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am running FreeBSD 3.1-RELEASE on a K6/166 that has 2 ethernet cards in it. The ethernet cards are setup as follows: ed1: ip: 209.90.111.199 netmask: 255.255.255.192 pn0: ip: 10.0.0.1 netmask: 255.255.255.0 I'm trying to get a simple firewall up to protect several computers on our network. I want it so that whenever we access the web from like 10.0.0.2 it goes thru 10.0.0.1 and then that machine will be the gateway to the Internet. I want to be able to have access to Telnet/FTP/WWW/IRC from the 10.0.0.2 machines, etc. I did the following to the server 209.90.111.199 to get it to work: /etc/defaults/rc.conf (looks as follows): ### Network routing options: ### defaultrouter="NO" # Set to default gateway (or NO). static_routes="" # Set to static route list (or leaveempty). gateway_enable="YES" # Set to YES if this host will be agateway. router_enable="NO" # Set to YES to enable a routing daemon. router="routed" # Name of routing daemon to use ifenabled. router_flags="-q" # Flags for routing daemon. mrouted_enable="NO" # Do multicast routing (see/etc/mrouted.conf). mrouted_flags="" # Flags for multicast routing daemon. ipxgateway_enable="NO" # Set to YES to enable IPX routing. ipxrouted_enable="NO" # Set to YES to run the IPX routingdaemon. ipxrouted_flags="" # Flags for IPX routing daemon. arpproxy_all="" # replaces obsolete kernel optionARP_PROXYALL. forward_sourceroute="NO" # do source routing (only ifgateway_enable is set to "YES") accept_sourceroute="NO" # accept source routed packets to us hostname="myname.my.domain" # Set this! nisdomainname="NO" # Set to NIS domain if using NIS (or NO). firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="simple" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display natd_enable="NO" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface to use with natd. natd_flags="" # Additional flags for natd. tcp_extensions="NO" # Disallow RFC1323 extensions (or YES). network_interfaces="lo0" # List of network interfaces (lo0 is loopback). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. --- in my /etc/rc.firewall (under the simple section my configuration reads): # set these to your outside interface network and netmask and ip oif="ed1" onet="209.90.111.199/24" omask="255.255.255.192" oip="209.90.111.199" # set these to your inside interface network and netmask and ip iif="pn0" inet="10.0.0.1/24" imask="255.255.255.0" iip="10.0.0.1" # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} out $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Allow TCP through if setup succeeded # $fwcmd add pass tcp from any to any established $fwcmd add pass all from any to any # allow IDENT for IRC $fwcmd add allow tcp from any to ${oif} 113 $fwcmd add allow udp from any to ${oif} 113 # Allow setup of incoming email $fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW $fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside #$fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then $fwcmd ${firewall_type} fi --- On Bootup when it displays the rulesets it seems to have a problem with one of them but i'm not sure which one. i know this message is kind of long but i'm really wanting to get this to work and would appreciate anyones kind help to let me know what's wrong. --- i tried to setup a work station as follows: ip: 10.0.0.2 subnetmask: 255.255.255.0 gateway: 10.0.0.1 i could ping 10.0.0.1, of course i couldn't ping outside our network, but I couldn't telnet, i couldn't do web, or irc, or anything... Please Help! Thanks. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message