Date: Sat, 10 Feb 2001 14:11:29 -0800 (PST) From: Benjamin Ossei <ben@cahostnet.net> To: "G D McKee" <freebsd@gdmckee.com>, questions@FreeBSD.ORG Subject: Re: Can't hit my own website from behind firewall Message-ID: <20010210221130.0797136F9@sitemail.everyone.net>
next in thread | raw e-mail | index | archive | help
In case attachment isn't any good.
# rc.ipfw - Firewall Rules
#
# This file is a modified version of /etc/rc.firewall.
#
# Maintained by: Ben Ossei
# Modified: 01/30/2001.
#
# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
# Firewall program
fwcmd="/sbin/ipfw"
# Outside interface network and netmask and ip
oif="xl0"
onet="24.180.132.0"
omask="255.255.255.0"
oip="24.180.132.54"
# Inside interface network and netmask and ip
iif="fxp0"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.1"
# My ISP's DNS servers
dns1="24.3.0.36"
dns2="24.3.0.37"
# Flush previous rules
${fwcmd} -f flush
# Allow loopbacks, deny imposters
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
#${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via xl0
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
#Allow all outbound connections
${fwcmd} add check-state
${fwcmd} add pass all from any to any out keep-state
# Allow established connections with minimal overhead
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
### TCP RULES
# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 keep-state
#${fwcmd} add pass tcp from any to ${inet}:${imask} 80 setup
${fwcmd} add pass tcp from ${oif} to ${iif} 80 keep-state
# SMTP - Allow access to sendmail for incoming e-mail
${fwcmd} add pass tcp from any to any 25 setup
${fwcmd} add pass tcp from 24.2.2.70 to ${oif} 67 setup
# FTP - Allow incoming data channel for outgoing connections,
# reject & log all incoming control connections
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
${fwcmd} add pass tcp from any to any 21 setup
# SSH Login - Allow & Log all incoming
${fwcmd} add pass log tcp from any to any 22 setup
#Allow Telnet
#${fwcmd} add pass tcp from any to any 23 in via ${oif} setup
${fwcmd} add pass tcp from 162.6.224.88 to any in via ${oif} 23 setup
#${fwcmd} add pass tcp from any to any 23 out
${fwcmd} add deny log tcp from any to any 23 in via ${oif} setup
#Allow SSL
${fwcmd} add check-state
${fwcmd} add pass tcp from any to any 443 in via xl0 keep-state
${fwcmd} add check-state
${fwcmd} add pass tcp from ${oif} to ${iif} 443 in keep-state
# IDENT - Reset incoming connections
${fwcmd} add reset tcp from any to any 113 in via ${oif} setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
#${fwcmd} add pass tcp from any to any setup
### UDP RULES
# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53
${fwcmd} add pass udp from any to ${dns2} 53
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oif} to ${iif} 53
${fwcmd} add pass udp from any to ${oip} 53
# SMB - Allow local traffic
${fwcmd} add pass udp from any to any 137-139 via ${iif}
# SYSLOG - Allow machines on inside net to log to us.
${fwcmd} add pass udp from any to any 514 via ${iif}
# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${oif}
${fwcmd} add pass udp from any 123 to any via ${iif}
${fwcmd} add pass udp from any to any 123 via ${iif}
# TRACEROUTE - Allow outgoing
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}
### ICMP RULES
# ICMP packets
# Allow all ICMP packets on internal interface
${fwcmd} add pass icmp from any to any via ${iif}
# Allow outgoing pings
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}
# Deny the rest of them
${fwcmd} add deny icmp from any to any
### MISCELLANEOUS REJECT RULES
# Reject broadcasts from outside interface
#${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
# Reject&Log SMB connections on outside interface
#${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}
# Reject&Log all other connections from outside interface
#${fwcmd} add 65000 deny log ip from any to any via ${oif}
#This to have denied packets dumped to the console
${fwcmd} add deny log ip from any to any
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
--- "G D McKee" <freebsd@gdmckee.com>
> wrote:
>Hi
>
>Can we have a look at your firewall config file. There isn't a lot to go on
>here.
>
>Gordon
>----- Original Message -----
>From: "Benjamin Ossei" <ben@cahostnet.net>
>To: <questions@FreeBSD.ORG>
>Sent: Saturday, February 10, 2001 9:02 PM
>Subject: Can't hit my own website from behind firewall
>
>
>> I can't seem to hit my own web server from a machine on my internal
>network. I have a dualhomed bsd running as a firewall. I allow everything
>going outbound using keep-state and check-state (not in that order). I'm
>using NAT to get to my web server which is using a 192.168.1.x IP address.
>I can hit the server fine from the outside but from the machine behind the
>firewall I can't. What might be blocking this? I also allow http,ftp, ssh,
>dns inbound.
>>
>> Thanks..
>>
>> _____________________________________________________________
>> ========GET YOUR FREE E-MAIL============
>> http://freemail.cahostnet.net
>> Web Hosting http://www.cahostnet.com
>>
>>
>> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> with "unsubscribe freebsd-questions" in the body of the message
>>
>>
>>
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
_____________________________________________________________
========GET YOUR FREE E-MAIL============
http://freemail.cahostnet.net
Web Hosting http://www.cahostnet.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010210221130.0797136F9>