Date: Thu, 18 Feb 1999 23:13:55 -0700 (MST) From: Brian Budnick <clubkid@bzzzz.com> To: freebsd-questions@FreeBSD.ORG Subject: Simple FIREWALL Message-ID: <Pine.BSF.4.05.9902182301050.346-100000@stardust.bzzzz.com>
next in thread | raw e-mail | index | archive | help
I am running FreeBSD 3.1-RELEASE on a K6/166 that has 2 ethernet cards in
it. The ethernet cards are setup as follows:
ed1: ip: 209.90.111.199 netmask: 255.255.255.192
pn0: ip: 10.0.0.1 netmask: 255.255.255.0
I'm trying to get a simple firewall up to protect several computers on our
network. I want it so that whenever we access the web from like 10.0.0.2
it goes thru 10.0.0.1 and then that machine will be the gateway to the
Internet. I want to be able to have access to Telnet/FTP/WWW/IRC from
the 10.0.0.2 machines, etc.
I did the following to the server 209.90.111.199 to get it to work:
/etc/defaults/rc.conf (looks as follows):
<snip>
### Network routing options: ###
defaultrouter="NO" # Set to default gateway (or NO).
static_routes="" # Set to static route list (or leaveempty).
gateway_enable="YES" # Set to YES if this host will be agateway.
router_enable="NO" # Set to YES to enable a routing daemon.
router="routed" # Name of routing daemon to use ifenabled.
router_flags="-q" # Flags for routing daemon.
mrouted_enable="NO" # Do multicast routing (see/etc/mrouted.conf).
mrouted_flags="" # Flags for multicast routing daemon.
ipxgateway_enable="NO" # Set to YES to enable IPX routing.
ipxrouted_enable="NO" # Set to YES to run the IPX routingdaemon.
ipxrouted_flags="" # Flags for IPX routing daemon.
arpproxy_all="" # replaces obsolete kernel optionARP_PROXYALL.
forward_sourceroute="NO" # do source routing (only ifgateway_enable is set to "YES")
accept_sourceroute="NO" # accept source routed packets to us
<snip>
hostname="myname.my.domain" # Set this!
nisdomainname="NO" # Set to NIS domain if using NIS (or NO).
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_type="simple" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
natd_enable="NO" # Enable natd (if firewall_enable == YES).
natd_interface="fxp0" # Public interface to use with natd.
natd_flags="" # Additional flags for natd.
tcp_extensions="NO" # Disallow RFC1323 extensions (or YES).
network_interfaces="lo0" # List of network interfaces (lo0 is loopback).
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
---
in my /etc/rc.firewall (under the simple section my configuration reads):
# set these to your outside interface network and netmask and ip
oif="ed1"
onet="209.90.111.199/24"
omask="255.255.255.192"
oip="209.90.111.199"
# set these to your inside interface network and netmask and ip
iif="pn0"
inet="10.0.0.1/24"
imask="255.255.255.0"
iip="10.0.0.1"
# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} out
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
# Allow TCP through if setup succeeded
# $fwcmd add pass tcp from any to any established
$fwcmd add pass all from any to any
# allow IDENT for IRC
$fwcmd add allow tcp from any to ${oif} 113
$fwcmd add allow udp from any to ${oif} 113
# Allow setup of incoming email
$fwcmd add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
$fwcmd add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
#$fwcmd add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
# Everything else is denied as default.
elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
$fwcmd ${firewall_type}
fi
---
On Bootup when it displays the rulesets it seems to have a problem with
one of them but i'm not sure which one.
i know this message is kind of long but i'm really wanting to get this to
work and would appreciate anyones kind help to let me know what's wrong.
---
i tried to setup a work station as follows:
ip: 10.0.0.2
subnetmask: 255.255.255.0
gateway: 10.0.0.1
i could ping 10.0.0.1, of course i couldn't ping outside our network, but
I couldn't telnet, i couldn't do web, or irc, or anything...
Please Help!
Thanks.
Brian
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9902182301050.346-100000>