Date: Thu, 10 Aug 2000 06:20:22 -0500 From: "Chris Silva" <bitsurfer@mediaone.net> To: <FreeBSD-IPFW@FreeBSD.ORG> Subject: IRC identing from client through FBSD firewall. Message-ID: <KCELIGPCPGAIDMNBHMOGCEFCDBAA.bitsurfer@mediaone.net>
next in thread | raw e-mail | index | archive | help
When I access IRC via a windows box on my internal network, going trough a
cable modem, I get this error:
natd[162]: failed to write packet back (Permission denied)
My main concern, it to use IRC on the intranet boxen and have auth work - so
I can access EFNet and DALNet.
This happens when identd is access. I can get out doing everything I need
to, but I just cant get identd to work.
I am using ident2 from the ports, and have set the auth line in the
inetd.conf file. Sorry for all the stuff here, but I wanted to give you all
everything I possibly could - and feel free add, subtract or point out all
that is wrong.
I'm open to ALL suggestions.
Below are the stats you mat need:
Firewall - FBSD 4.1-STABLE
---------------- rc.conf
# -- sysinstall generated deltas -- #
network_interfaces="fxp0 xl0 lo0"
ifconfig_fxp0="inet 10.3.1.1 netmask 255.0.0.0"
ifconfig_xl0="DHCP"
hostname="firewall"
gateway_enable="YES"
defaultrouter="NO"
usbd_enable="YES"
inetd_flags="wW -R 1024" # Optional flags to inetd
ntpdate_flags="ncar.ucar.edu"
ntpdate_enable="YES"
tcp_extensions="YES"
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_type="simple" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" #
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="xl0" # Public interface or IPaddress to use.
natd_flags="-f /etc/natd.conf" # Additional flags for natd.
portmap_enable="NO" # Run the portmapper service (or NO).
------------------ rc.firewall (simple)
# set these to your outside interface network and netmask and ip
oif="xl0"
onet="204.210.189.0"
omask="255.255.255.0"
oip="204.210.189.38"
# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="10.3.1.0"
imask="255.0.0.0"
iip="10.3.1.1"
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
#${fwcmd} add pass all from ${inet}:${imask} to ${inet}:${inet}
# Stop RFC1918 nets on the outside interface
#${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
#${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
#${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
#${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
#${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
#${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-01.txt nets on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
#${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from any 53 to ${oip}
${fwcmd} add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
${fwcmd} add pass udp from any 123 to ${oip}
${fwcmd} add pass udp from ${oip} to any 123
# Allow SSH logins nad log them
${fwcmd} add pass tcp from any to any 22 in via ${oip} setup
# ICMP RULES
# Allow all ICMP packets on internal interface
${fwcmd} add pass icmp from any to any via ${iif}
# Allow outgoing pings but not incoming
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}
# Deny the rest of them
${fwcmd} add deny icmp from any to any
# MISCELLANEOUS RULES
# Reject broadcasts from outside
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
# Reject and log SMB connections on outside interface
${fwcmd} add 64000 deny log udp from any to any 137-139 in via ${oif}
# Reject and log all other connections from outside interface
${fwcmd} add 65000 deny ip from any to any via ${oif}
------------------ ipfw list
00050 divert 8668 ip from any to any via xl0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 10.0.0.0/8 to any in recv xl0
00400 deny ip from 204.210.189.0/24 to any in recv fxp0
00500 deny ip from 0.0.0.0/8 to any via xl0
00600 deny ip from any to 0.0.0.0/8 via xl0
00700 deny ip from 169.254.0.0/16 to any via xl0
00800 deny ip from any to 169.254.0.0/16 via xl0
00900 deny ip from 192.0.2.0/24 to any via xl0
01000 deny ip from any to 192.0.2.0/24 via xl0
01100 deny ip from 224.0.0.0/4 to any via xl0
01200 deny ip from any to 224.0.0.0/4 via xl0
01300 deny ip from 240.0.0.0/4 to any via xl0
01400 deny ip from any to 240.0.0.0/4 via xl0
01500 allow tcp from any to any established
01600 allow ip from any to any frag
01700 allow tcp from any to 204.210.189.38 25 setup
01800 allow tcp from any to 204.210.189.38 53 setup
01900 allow udp from any to 204.210.189.38 53
02000 allow udp from 204.210.189.38 53 to any
02100 allow tcp from any to 204.210.189.38 80 setup
02200 allow tcp from any to any setup
02300 allow udp from any 53 to 204.210.189.38
02400 allow udp from 204.210.189.38 to any 53
02500 allow udp from any 123 to 204.210.189.38
02600 allow udp from 204.210.189.38 to any 123
02700 allow tcp from any to any 22 in recv 204.210.189.38 setup
02800 allow icmp from any to any via fxp0
02900 allow icmp from any to any out xmit xl0 icmptype 8
03000 allow icmp from any to any in recv xl0 icmptype 0
03100 allow icmp from any to any via xl0 icmptype 3,4,11,12
03200 deny icmp from any to any
63000 deny ip from any to 0.0.0.255:0.0.0.255 in recv xl0
64000 deny log udp from any to any 137-139 in recv xl0
65000 deny ip from any to any via xl0
65535 allow ip from any to any
------------------ ipfw show
00050 2165 736719 divert 8668 ip from any to any via xl0
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 10.0.0.0/8 to any in recv xl0
00400 0 0 deny ip from 204.210.189.0/24 to any in recv fxp0
00500 0 0 deny ip from 0.0.0.0/8 to any via xl0
00600 0 0 deny ip from any to 0.0.0.0/8 via xl0
00700 0 0 deny ip from 169.254.0.0/16 to any via xl0
00800 0 0 deny ip from any to 169.254.0.0/16 via xl0
00900 0 0 deny ip from 192.0.2.0/24 to any via xl0
01000 0 0 deny ip from any to 192.0.2.0/24 via xl0
01100 0 0 deny ip from 224.0.0.0/4 to any via xl0
01200 0 0 deny ip from any to 224.0.0.0/4 via xl0
01300 0 0 deny ip from 240.0.0.0/4 to any via xl0
01400 0 0 deny ip from any to 240.0.0.0/4 via xl0
01500 3151 1344439 allow tcp from any to any established
01600 0 0 allow ip from any to any frag
01700 0 0 allow tcp from any to 204.210.189.38 25 setup
01800 0 0 allow tcp from any to 204.210.189.38 53 setup
01900 0 0 allow udp from any to 204.210.189.38 53
02000 0 0 allow udp from 204.210.189.38 53 to any
02100 0 0 allow tcp from any to 204.210.189.38 80 setup
02200 16 828 allow tcp from any to any setup
02300 22 3967 allow udp from any 53 to 204.210.189.38
02400 176 13329 allow udp from 204.210.189.38 to any 53
02500 0 0 allow udp from any 123 to 204.210.189.38
02600 0 0 allow udp from 204.210.189.38 to any 123
02700 0 0 allow tcp from any to any 22 in recv 204.210.189.38 setup
02800 16 944 allow icmp from any to any via fxp0
02900 13 900 allow icmp from any to any out xmit xl0 icmptype 8
03000 6 408 allow icmp from any to any in recv xl0 icmptype 0
03100 11 616 allow icmp from any to any via xl0 icmptype 3,4,11,12
03200 16 1344 deny icmp from any to any
63000 0 0 deny ip from any to 0.0.0.255:0.0.0.255 in recv xl0
64000 0 0 deny log udp from any to any 137-139 in recv xl0
65000 150 24958 deny ip from any to any via xl0
65535 588 61233 allow ip from any to any
------------------ natd.conf
# This is /etc/natd.conf - This is used for redirects. See below.
#
dynamic yes
use_sockets yes
same_ports yes
------------------ kernel (Only needed info)
options IPFIREWALL_FORWARD
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
pseudo-device bpf #Berkeley packet filter
Best regards,
Chris
______________________________________________________________________
DH/DSS Fingerprint = 8265 0BB8 2C7D A376 3CCD 6858 8630 0E47 194A 0318
RSA Key Fingerprint = 4390 44E5 E316 F2AA A11E 5755 F3F9 D69B
PGP Mail encouraged / preferred - keys available on common key servers
______________________________________________________________________
Proud supporter of FreeBSD, NetBSD, OpenBSD, and BSDi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?KCELIGPCPGAIDMNBHMOGCEFCDBAA.bitsurfer>