Date: Tue, 8 Dec 1998 08:23:26 -0700 (MST) From: wildcardus freakis <wildcard@dax.belen.k12.nm.us> To: Mark Mayo <mark@vmunix.com> Cc: questions@FreeBSD.ORG Subject: Re: NATD + firewall - I'm stumped.. Message-ID: <Pine.BSF.3.96.981208082050.11752B-100000@dax.belen.k12.nm.us> In-Reply-To: <19981208030926.A25214@vmunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
ER...my bad...I misunderstood the question being asked.
MHA.
I withdraw my sugestion.
Sasha
On Tue, 8 Dec 1998, Mark Mayo wrote:
> Hi all. I've been trying to get what I thought would be a trivial
> gateway to the net setup. I have a very simple setup - a P133 with
> two interface: ed1 and de0
>
> ed1 is plugged into my cable modem with a static IP - 24.112.137.146
> de0 is plugged into my hub on the internal network - 192.168.4.1
>
> Naturally, I want my internal machines on the 192.168.4.1/24 network
> to be able to use the FreeBSD box as their NAT gateway. This is a
> 3.0-RELEASE box, with IPDIVERT, IPFIREWALL kernel options. GATEWAY=YES
>
> Using a very simple ruleset like:
>
> /sbin/ipfw add divert natd all from any to any via ed1
> /sbin/ipfw add 100 pass all from any to any via lo0
> /sbin/ipfw add 200 deny all from any to 127.0.0.0/8
> /sbin/ipfw add 65000 pass all from any to any
>
> Accompanied by "natd -n ed1" works nicely, and the NAT functions.
> The actual NAT box can get to both networks fine, and the internal
> machines also get access as expected. Naturally, I'd like to give
> a little more protection to the "router" box, but as soon as I tr
> to do anything without the "add 65000 pass all from any to any" rule
> NAT just doesn't seem to want to go. Obviously, I'm doing something wrong
> and missing some key fundamental here, but no matter how many ways I
> play with the rules it beats me everytime. Using the ruleset below, which
> makes sense at least in my mind, I can get to the point where the router
> is open on the inside, and from the actual router I can make connections
> to the outsid world just fine, and incoming connections are rejected.
> In short everything is just how I'd like and expect it to be,
> with the one notable exception that packets simply aren't getting
> through the NAT part so my internal machines can't get to the internet.
> the "65534 deny all from any to any" ruleset is killing the packets..
>
> I'm stumped. What do I need to get this thing running correctly? :-)
>
> TIA to anyone that can lift my ignorance..
>
> -Mark
>
> #---------------------------------------------------------------------
> # Firewall by Mark...
> # summary: allow all traffic on the inside net, block nearly all
> # incoming traffic on the outside interface (internet), do NAT for
> # internal machine to access internet
> #
> # inside interface: de0
> # outside interfance: ed1
>
> # outside and inside IPs
> oip="24.112.137.146"
> iip="192.168.4.1"
>
> /sbin/ipfw -f flush
>
> # Allow NAT to examine packets first
> /sbin/ipfw add divert natd all from any to any via ed1
>
> # Setup loopback interface + interior interface
> /sbin/ipfw add 100 pass all from any to any via lo0
> /sbin/ipfw add 200 deny all from any to 127.0.0.0/8
>
> # Stop RFC1918 nets on the outside interface
> /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ed1
> /sbin/ipfw add deny all from any to 192.168.0.0:255.255.0.0 via ed1
> /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ed1
> /sbin/ipfw add deny all from any to 172.16.0.0:255.240.0.0 via ed1
> /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ed1
> /sbin/ipfw add deny all from any to 10.0.0.0:255.0.0.0 via ed1
>
> # Allow all traffic to pass - i.e. open the door!
> #/sbin/ipfw add 65000 pass all from any to any
>
> # Allow established connections through (i.e. setup from the inside)
> # TCP goes through if setup succeeded
> /sbin/ipfw add pass all from any to any out xmit ed1
> /sbin/ipfw add pass tcp from any to any established
>
> # Allow traffic on my own net
> /sbin/ipfw add pass all from 192.168.4.0/24 to ${iip}
> /sbin/ipfw add pass all from ${iip} to 192.168.4.0/24
>
> # Allow access to my SSH port for remote access
> /sbin/ipfw add pass tcp from any to ${oip} 22 setup
>
> # Reset connections on the ident ports to prevent timeouts
> /sbin/ipfw add reset tcp from any to ${oip} 113
>
> # Reject & Log all setup of incoming connections from the outside
> #/sbin/ipfw add deny log tcp from any to any in via ed1 setup
> #/sbin/ipfw add deny log tcp from any to any in recv ed1 setup
> /sbin/ipfw add deny log tcp from any to ${oip} setup
>
> # Allow DNS queries out into the world
> /sbin/ipfw add pass udp from any 53 to ${oip}
> /sbin/ipfw add pass udp from ${oip} to any 53
>
>
> # Everything else is denied by default
>
>
> --
> ------------------------------------------------------------------------
> Mark Mayo mark@vmunix.com
> RingZero Comp. http://www.vmunix.com/mark
> ------------------------------------------------------------------------
> "The Church says the earth is flat. But I know it's round, for I have
> seen the shadow on the moon. And I have more faith in a shadow than
> in the Church." - Ferdinand Magellan
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981208082050.11752B-100000>