Date: Tue, 8 Dec 1998 08:23:26 -0700 (MST) From: wildcardus freakis <wildcard@dax.belen.k12.nm.us> To: Mark Mayo <mark@vmunix.com> Cc: questions@FreeBSD.ORG Subject: Re: NATD + firewall - I'm stumped.. Message-ID: <Pine.BSF.3.96.981208082050.11752B-100000@dax.belen.k12.nm.us> In-Reply-To: <19981208030926.A25214@vmunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
ER...my bad...I misunderstood the question being asked. MHA. I withdraw my sugestion. Sasha On Tue, 8 Dec 1998, Mark Mayo wrote: > Hi all. I've been trying to get what I thought would be a trivial > gateway to the net setup. I have a very simple setup - a P133 with > two interface: ed1 and de0 > > ed1 is plugged into my cable modem with a static IP - 24.112.137.146 > de0 is plugged into my hub on the internal network - 192.168.4.1 > > Naturally, I want my internal machines on the 192.168.4.1/24 network > to be able to use the FreeBSD box as their NAT gateway. This is a > 3.0-RELEASE box, with IPDIVERT, IPFIREWALL kernel options. GATEWAY=YES > > Using a very simple ruleset like: > > /sbin/ipfw add divert natd all from any to any via ed1 > /sbin/ipfw add 100 pass all from any to any via lo0 > /sbin/ipfw add 200 deny all from any to 127.0.0.0/8 > /sbin/ipfw add 65000 pass all from any to any > > Accompanied by "natd -n ed1" works nicely, and the NAT functions. > The actual NAT box can get to both networks fine, and the internal > machines also get access as expected. Naturally, I'd like to give > a little more protection to the "router" box, but as soon as I tr > to do anything without the "add 65000 pass all from any to any" rule > NAT just doesn't seem to want to go. Obviously, I'm doing something wrong > and missing some key fundamental here, but no matter how many ways I > play with the rules it beats me everytime. Using the ruleset below, which > makes sense at least in my mind, I can get to the point where the router > is open on the inside, and from the actual router I can make connections > to the outsid world just fine, and incoming connections are rejected. > In short everything is just how I'd like and expect it to be, > with the one notable exception that packets simply aren't getting > through the NAT part so my internal machines can't get to the internet. > the "65534 deny all from any to any" ruleset is killing the packets.. > > I'm stumped. What do I need to get this thing running correctly? :-) > > TIA to anyone that can lift my ignorance.. > > -Mark > > #--------------------------------------------------------------------- > # Firewall by Mark... > # summary: allow all traffic on the inside net, block nearly all > # incoming traffic on the outside interface (internet), do NAT for > # internal machine to access internet > # > # inside interface: de0 > # outside interfance: ed1 > > # outside and inside IPs > oip="24.112.137.146" > iip="192.168.4.1" > > /sbin/ipfw -f flush > > # Allow NAT to examine packets first > /sbin/ipfw add divert natd all from any to any via ed1 > > # Setup loopback interface + interior interface > /sbin/ipfw add 100 pass all from any to any via lo0 > /sbin/ipfw add 200 deny all from any to 127.0.0.0/8 > > # Stop RFC1918 nets on the outside interface > /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ed1 > /sbin/ipfw add deny all from any to 192.168.0.0:255.255.0.0 via ed1 > /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ed1 > /sbin/ipfw add deny all from any to 172.16.0.0:255.240.0.0 via ed1 > /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ed1 > /sbin/ipfw add deny all from any to 10.0.0.0:255.0.0.0 via ed1 > > # Allow all traffic to pass - i.e. open the door! > #/sbin/ipfw add 65000 pass all from any to any > > # Allow established connections through (i.e. setup from the inside) > # TCP goes through if setup succeeded > /sbin/ipfw add pass all from any to any out xmit ed1 > /sbin/ipfw add pass tcp from any to any established > > # Allow traffic on my own net > /sbin/ipfw add pass all from 192.168.4.0/24 to ${iip} > /sbin/ipfw add pass all from ${iip} to 192.168.4.0/24 > > # Allow access to my SSH port for remote access > /sbin/ipfw add pass tcp from any to ${oip} 22 setup > > # Reset connections on the ident ports to prevent timeouts > /sbin/ipfw add reset tcp from any to ${oip} 113 > > # Reject & Log all setup of incoming connections from the outside > #/sbin/ipfw add deny log tcp from any to any in via ed1 setup > #/sbin/ipfw add deny log tcp from any to any in recv ed1 setup > /sbin/ipfw add deny log tcp from any to ${oip} setup > > # Allow DNS queries out into the world > /sbin/ipfw add pass udp from any 53 to ${oip} > /sbin/ipfw add pass udp from ${oip} to any 53 > > > # Everything else is denied by default > > > -- > ------------------------------------------------------------------------ > Mark Mayo mark@vmunix.com > RingZero Comp. http://www.vmunix.com/mark > ------------------------------------------------------------------------ > "The Church says the earth is flat. But I know it's round, for I have > seen the shadow on the moon. And I have more faith in a shadow than > in the Church." - Ferdinand Magellan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981208082050.11752B-100000>