Date: Wed, 4 Aug 1999 09:53:47 -0600 From: "'Oscar Bonilla'" <obonilla@fisicc-ufm.edu> To: "David B. Aas" <dave@ciminot.com> Cc: "'Ray Seals'" <rayseals@midwestis.com>, "'Oscar Bonilla'" <obonilla@fisicc-ufm.edu>, "'Thomas Uhrfelt'" <thomas.uhrfelt@plymovent.se>, questions@freebsd.org Subject: Re: Need consulting help with v3.2 firewall Message-ID: <19990804095347.F698@fisicc-ufm.edu> In-Reply-To: <000d01bede87$54afa120$0fc8a8c0@dave.ciminot.com>; from David B. Aas on Wed, Aug 04, 1999 at 09:39:29AM -0500 References: <000d01bede87$54afa120$0fc8a8c0@dave.ciminot.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 04, 1999 at 09:39:29AM -0500, David B. Aas wrote:
> Guys-
>
> Thanks for your suggestions. I tried both. It is better, but I still can't
> get through.
>
> Oscar's suggestion substantially speeded up the response from the client.
this means DNS is now getting through.
> The clients still cannot get through. The clients are Win95/98 with my
> FreeBSD box set as primary DNS.
>
> Ray's suggestion to telnet to my ISP's POP3 server works from the FreeBSD
> box, but does not work from internal clients.
this means you're not allowing pop3 connections from the inside.
>
> My FreeBSD box can do a "ping netscape.com" OK. My clients cannot.
You're forbiding ICMP to get through from the inside net.
>
> I double and triple-checked my DNS. I originally had the FreeBSD box set up
> as a Secondary DNS server. I changed it to be a caching DNS server off of my
> ISP. That still didn't work.
>
DNS is not your problem.
> I will attach my configuration files. I would appreciate any help.
Here's your rc.firewall again with comments starting with ---> :
more comments at bottom.
----------------------------------------------------------------------------
# Setup system for firewall service.
# $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $
# Customized by Dave Aas 1999/07/20
# Suck in the configuration variables.
. /etc/rc.conf
# Flush out the list before we begin.
ipfw -f flush
# Divert internal ip addresses
ipfw add 100 divert natd all from any to any via ${natd_interface}
# Allow all outbound traffic
ipfw add 150 allow all from any to any out
---> I don't see the need for this rule.
# Only in rare cases do you want to change these rules
ipfw add 200 pass all from any to any via lo0
ipfw add 300 deny all from any to 127.0.0.0/8
# Stop spoofing
ipfw add 400 deny all from ${inet}:${imask} to any in via ${oif}
ipfw add 500 deny all from ${onet}:${omask} to any in via ${iif}
# Allow TCP through if setup succeeded
ipfw add 600 pass tcp from any to any established
# Allow setup of incoming email
ipfw add 700 pass tcp from any to ${oip} 25 setup
---> Here you're allowing access to the SMTP port on the Firewall
---> Are you sure about this?
ipfw add 710 allow tcp from any to any 110 setup
---> This should let POP3 go through
# Allow access to our DNS
ipfw add 800 pass tcp from any to ${oip} 53 setup
---> This is only for zone transfers. Is your Firewall a
---> secondary DNS?
# Allow access to our WWW
ipfw add 900 pass tcp from any to ${oip} 80 setup
---> Do you run a WWW server on your Firewall?
# Other webserver traffic
ipfw add 910 allow tcp from any to ${oip} 80 in via ${oif}
ipfw add 920 allow tcp from any to ${oip} 3128 in via ${oif}
---> Here you're allowing connections from the outside to WWW
---> and Squid I guess. Are you running this on your firewall?
# Allow setup of outgoing TCP connections only
ipfw add 1000 allow tcp from ${oip}:${omask} to any setup
ipfw add 1100 allow tcp from ${iip}:${imask} to any setup
---> Here you're saying that your Firewall can connect to anyone
---> It wants to.
# Allow maintenance from CI
ipfw add 1200 allow tcp from ${maintip} to ${oip} 21 setup
ipfw add 1300 allow tcp from ${maintip} to ${oip} 23 setup
---> Don't know about this one...
# Allow DNS queries out in the world
ipfw add 1400 pass udp from any 53 to any
ipfw add 1500 pass udp from any to any 53
---> DNS can go through
# Allow NTP queries out in the world
ipfw add 1600 pass udp from any 123 to ${oip}
---> Allow folks to syncronize time with the Firewall
---> Is your firewall a time server?
ipfw add 1700 pass udp from ${oip} to any 123
---> Allow the firewall to syncronize with anyone it wants.
# Allow ping to or from the world
ipfw add 1800 allow icmp from any to any icmptypes 0,8
---> You're allowing ICMP to go through
# Allow POP3 setup
ipfw add 1850 allow tcp from any 1024-65535 to any 110
ipfw add 1860 allow tcp from ${inet}:${imask} to any 110
ipfw add 1880 allow tcp from any 1024-65535 to any 1024-65535
ipfw add 1890 allow udp from any 1024-65535 to any 1024-65535
---> I would change this 4 rules to be
---> ipfw add 1850 pass tcp from any to any 100 setup
# Disallow setup of all other TCP connections
ipfw add 2000 deny tcp from any to any setup
---> I would change this rule to be
---> ipfw add 2000 deny log tcp from any to any
---> ipfw add 2050 deny log udp from any to any
# Allow ident in
ipfw add 2100 allow tcp from any to any 113 in via ${oif}
ipfw add 2200 allow tcp from any to any 113 out via ${oif}
---> Ident only to/from Firewall, but since we've denied everything
---> abobe it will never match. You should move this rule way up.
# Everything else is denied as default.
----------------------------------------------------------------------------
Notice the last rule loggin everyting? You should watch your
console when you try to establish the pop session from the
windows machine and see where it fails. Then think if this is
normal and if you think it is open up that port.
hope this helps.
regards,
-Oscar
--
For PGP Public Key: finger obonilla@fisicc-ufm.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990804095347.F698>