From owner-freebsd-questions Fri Jun 8 16:55:58 2001 Delivered-To: freebsd-questions@freebsd.org Received: from kekaha.atkinshome.com (kekaha.atkinshome.com [64.121.139.69]) by hub.freebsd.org (Postfix) with ESMTP id D5C4B37B405 for ; Fri, 8 Jun 2001 16:55:47 -0700 (PDT) (envelope-from dave@atkinshome.com) Received: from dave (jen.atkinshome.com [64.121.139.68]) by kekaha.atkinshome.com (8.9.3/8.9.3) with SMTP id QAA07240 for ; Fri, 8 Jun 2001 16:43:58 -0700 From: "Dave Atkins" To: Subject: simple firewall is too restrictive - what have I misconfigured? Date: Fri, 8 Jun 2001 16:59:55 -0700 Message-ID: <000701c0f077$1e6342d0$0300a8c0@dave> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have installed the latest version (4.3-RELEASE) of FreeBSD on an old P100 box to serve as a firewall and gateway for my internal home network (DSL). I have a set of 6 IP addresses here, but I want to put all the machines behind the firewall, then open selective ports and IP aliases to internal servers which include mail, www, and DNS. I successfully set up nat and my internal network using the "open" firewall type. When I edit rc.firewall to specify my internal and external interfaces, then rc.conf to use firewall type simple, then reboot, I lose the ability to do anything from inside my network. I get lots of messages from ipfw that say failed to write packet back 162 permission denied. This happens while booting (as the inetd daemons are starting) and when I try to telnet from the firewall machine. If I go back to "open" firewall, everything works fine. At the risk of prostrating myself before the world, I am including the following detailed configuratino information in the hopes that someone can help... 1. First thing I did was add two lines to a custom kernel config and recompile the kernel: options IPFIREWALL options IPDIVERT 2. next, I modify rc.conf (this includes changes to enable IP mapping): # please make all changes to this file. defaultrouter="64.121.139.65" gateway_enable="YES" hostname="jen.atkinshome.com" network_interfaces="dc0 dc1" #dc0 is internal, dc1 is external ifconfig_dc1_alias0="inet 64.121.139.68 netmask 255.255.255.248" #this is a webserver on my internal network, NATed to be visible from the outside ifconfig_dc1_alias1="inet 64.121.139.66 netmask 255.255.255.248" #this is the firewall address ifconfig_dc0="inet 192.168.0.1 netmask 255.255.255.0" #this is the firewall again, the internal interface inetd_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" moused_enable="YES" sendmail_enable="YES" sshd_enable="YES" usbd_enable="YES" firewall_enable="YES" firewall_type="open" firewall_quiet="NO" natd_enable="YES" natd_interface="dc1" natd_flags="-redirect_address 192.168.0.2 64.121.139.68 -interface dc1" #this achieves the desired network address translation for the internal webserver So far, this works fine...if you go to http://64.121.139.68, for example, you get my internal webserver running on 192.168.0.2 and if you telnet to 64.121.139.66, you get the actual firewall. Obviously, this setup provides little or no more protection than just setting my webserver on the hub with the firewall machine...so I want to tighten things up on the firewall rules, and eventually, on the firewall machine itself (shut off telnet, etc.). So, I go to /etc/rc.firewall and make the following changes to specify my internal and external interfaces: # set these to your outside interface network and netmask and ip oif="dc1" onet="64.121.139.64" omask="255.255.255.248" oip="64.121.139.66" # set these to your inside interface network and netmask and ip iif="dc0" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.1" I was a little confused about the setting for "onet"--basically, I have the subnet from 64...64-71, so I'm assuming the .0/.248 combination is the way to mask it properly. My gateway/router at the ISP is 54.121.139.65...I have a slipstream 5250 bridge which is my connection over DSL to the ISP. Then, I edit rc.conf to say firewall_type="simple" and reboot. The resulting firewall rules after reboot are (ipfw list >file): 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.0.0/24 to any in recv dc1 00500 deny ip from 64.121.139.64/29 to any in recv dc0 00600 deny ip from any to 10.0.0.0/8 via dc1 00700 deny ip from any to 172.16.0.0/12 via dc1 00800 deny ip from any to 192.168.0.0/16 via dc1 00900 deny ip from any to 0.0.0.0/8 via dc1 01000 deny ip from any to 169.254.0.0/16 via dc1 01100 deny ip from any to 192.0.2.0/24 via dc1 01200 deny ip from any to 224.0.0.0/4 via dc1 01300 deny ip from any to 240.0.0.0/4 via dc1 01400 divert 8668 ip from any to any via dc1 01500 deny ip from 10.0.0.0/8 to any via dc1 01600 deny ip from 172.16.0.0/12 to any via dc1 01700 deny ip from 192.168.0.0/16 to any via dc1 01800 deny ip from 0.0.0.0/8 to any via dc1 01900 deny ip from 169.254.0.0/16 to any via dc1 02000 deny ip from 192.0.2.0/24 to any via dc1 02100 deny ip from 224.0.0.0/4 to any via dc1 02200 deny ip from 240.0.0.0/4 to any via dc1 02300 allow tcp from any to any established 02400 allow ip from any to any frag 02500 allow tcp from any to 64.121.139.66 25 setup 02600 allow tcp from any to 64.121.139.66 53 setup 02700 allow udp from any to 64.121.139.66 53 02800 allow udp from 64.121.139.66 53 to any 02900 allow tcp from any to 64.121.139.66 80 setup 03000 deny log tcp from any to any in recv dc1 setup 03100 allow tcp from any to any setup 03200 allow udp from 64.121.139.66 to any 53 keep-state 03300 allow udp from 64.121.139.66 to any 123 keep-state 65535 deny ip from any to any That about covers it...looks to me like there are way too many deny rules up there and no allow from [internal] to any via dc1. Thanks! Dave Atkins dave@atkinshome.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message