From owner-freebsd-security Sat Jun 26 19: 4:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from atlas.topquark.org (drwho.xnet.com [205.243.140.183]) by hub.freebsd.org (Postfix) with ESMTP id 121CF14D30 for ; Sat, 26 Jun 1999 19:04:04 -0700 (PDT) (envelope-from drwho@xnet.com) Received: (from drwho@localhost) by atlas.topquark.org (8.9.3/8.9.3) id VAA02348 for freebsd-security@freebsd.org; Sat, 26 Jun 1999 21:04:02 -0500 (CDT) Date: Sat, 26 Jun 1999 21:04:02 -0500 From: Michael Maxwell To: freebsd-security@freebsd.org Subject: firewalling problem. Message-ID: <19990626210402.B1580@atlas.topquark.org> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="k1lZvvs/B4yU6o8G" X-Mailer: Mutt 0.95.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii I have attached my /etc/rc.firewall as it currently is... please have a look for more info: Problem: I cannot allow my local net machines to talk outside to the net and still have a useful firewall at the same time. The rule that allows the local hosts to talk outside completely defeats the purpose of having any OTHER rules in the first place (ipfw allow ip from any to any). I have tried restricting the first "any" to :, but this also does not work. Any help I can get on this would be VERY much appreciated. Reading the docs doesn't help much at all, and all the examples I've looked at on the net are of little help on this one, too... It took me two weeks just to get this far... Thanks again... -- Michael Maxwell | http://www.xnet.com/~drwho/ -- NATO: Now that you've destroyed Serbia, who you gonna kill next? -- --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="rc.firewall" ############ # Setup system for firewall service. # $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $ # Suck in the configuration variables. if [ -f /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf elif [ -f /etc/rc.conf ]; then . /etc/rc.conf fi if [ "x$1" != "x" ]; then firewall_type=$1 fi ############ # Set quiet mode if requested if [ "x$firewall_quiet" = "xYES" ]; then fwcmd="/sbin/ipfw -q" else fwcmd="/sbin/ipfw" fi ############ # Flush out the list before we begin. $fwcmd -f flush ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). $fwcmd add divert natd all from any to any via ppp0 ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # they you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. # $fwcmd add 65000 pass all from any to any ############ # Only in rare cases do you want to change these rules $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 200 deny all from any to 127.0.0.0/8 if [ "${firewall_type}" = "simple" ]; then ############ # This is a prototype setup for a simple firewall. Configure this machine # as a named server and ntp server, and point all the machines on the inside # at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif="ppp0" onet="205.243.140.0" omask="255.255.255.0" oip="205.243.140.183" # set these to your inside interface network and netmask and ip iif="xl0" inet="192.168.16.0" imask="255.255.255.0" iip="192.168.16.1" # Some of our local hosts (used for redirects, etc) zeus="192.168.16.3" xnetdnsa="198.147.221.34" xnetdnsb="198.147.221.35" ### This is the problem. Without this, nothing can talk out from the inside ### network. But this defeats the purpose of everything else in this file. ### The "add allow ip from : to any (etc...) does NOT work. # Allow inside hosts to talk out $fwcmd add 110 allow ip from any to any # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow setup of incoming email $fwcmd add allow tcp from any to ${oip} 25 setup # Allow access to our DNS $fwcmd add pass tcp from ${xnetdnsa} to ${oip} 53 setup $fwcmd add pass tcp from ${xnetdnsb} to ${oip} 53 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. # # Deny any connections to port 53 (DNS) *except* our secondary DNS # $fwcmd add deny tcp from any to any 53 setup # $fwcmd add allow tcp from ${xnetdnsa} to ${oip} 53 setup # $fwcmd add allow tcp from ${xnetdnsb} to ${oip} 53 setup # # # Block misc security holes # $fwcmd add deny log tcp from any to any 69 setup # $fwcmd add deny log tcp from any to any 87 setup # $fwcmd add deny log tcp from any to any 111 via ${oif} # $fwcmd add deny log tcp from any to any 2049 via ${oif} # $fwcmd add deny log tcp from any to any 512-514 via ${oif} # $fwcmd add deny log tcp from any to any 515 via ${oif} # $fwcmd add deny log tcp from any to any 540 via ${oif} # $fwcmd add deny log tcp from any to any 2000 via ${oif} # $fwcmd add deny log tcp from any to any 6000-6063 via ${oif} # # Use this for our inbound telnet redirect to zeus $fwcmd add 155 allow tcp from any to ${zeus} 23 via ${oif} ##################################################################### ### UDP SPECIFIC ### We don't want to allow any UDP traffic from outside ### except for on port 123 (ntp) ##################################################################### $fwcmd add deny log udp from any to any via ${oif} $fwcmd add allow udp from any to any 123 fi --k1lZvvs/B4yU6o8G-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message