Date: Mon, 5 Mar 2001 16:13:35 +1100 From: Murray Taylor <mtaylor@bytecraft.com.au> To: "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org> Subject: firewalling with NAT and PPP Message-ID: <710709BB8B02D311942E006067441810544275@MELEXC01>
next in thread | raw e-mail | index | archive | help
More questions as I attempt to get over the "learning cliff"!
Do I run PPP with its nat actions enabled in the following setup or do I
run natd on both interfaces
NOTE: I'm still waiting for my hardware to turn up for the frame relay
interface,
so I'm just trying to get ahead...
|============================|
| ++++++++ |
frame relay <- net x.y.z.0/26 ->| sr0<->ng0 <-> + ipfw + |
| + & + |
modem <- dynamic addr --->| tun0 <------> + natd + |
| ++++++++ |
| ^ |
| | |
internal net <--- 10.1.2.0/16 ->| fxp0 <------------ |
| |
future x.y.z.n machines <------>| fxp1 <--- ?? bridge ?? |
| |
| FreeBSD 4.2 release |
|============================|
My proposed firewall rules are like this so far ;-) (see below)
Please see the area near the Big ?? mark...
And later on I could be 'bridging' the x.y.z.0/26 net out 'sideways' to
other machines that need to be directly visible on the internet
via a fxp1 port.
- Is bridging the appropriate method ??
- Do the other machines benefit from this firewall or
do I need to make individual ones on the extra machines??
I'm in the process of acquiring the new FreeBSD Corporate Networkers Guide
which I hope will become another useful "FM to R" on the bookshelf,
but it appears to be a long snail trail from USofA to the Land Downunder
;-(
cheers
Murray Taylor
Project Engineer
Bytecraft P/L +61 3 9587 2555
+61 3 9587 1614 fax
mtaylor@bytecraft.com.au
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0
# add deny all rule (current chicken/learning mode kernel is allow all from
any to any)
###$(fxcmd) add 65000 deny all from any to any
# This is a prototype setup for a simple firewall. Configure this
# machine as a named server and ntp server, and point all the machines
# on the inside at this machine for those services.
############
# outside interface network and netmask and ip
frame_if="ng0"
frame_net="x.y.z.0"
frame_mask="255.255.255.192"
frame_ip="x.y.z.1"
# tun modem interface
tun_if="tun0"
# inside interface network and netmask and ip
my_if="fxp0"
my_net="10.1.2.0"
my_mask="255.255.0.0"
my_ip="10.1.2.30"
# Stop spoofing
${fwcmd} add deny all from $(my_net):$(my_mask) to any in via $(frame_if)
${fwcmd} add deny all from $(my_net):$(my_mask) to any in via $(tun_if)
${fwcmd} add deny all from $frame_net):$frame_mask) to any in via $(my_if)
# Stop RFC1918 nets on the outside interfaces
${fwcmd} add deny all from any to 10.0.0.0/8 via ${frame_if}
${fwcmd} add deny all from any to 10.0.0.0/8 via ${tun_if}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${frame_if}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${tun_if}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${frame_if}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${tun_if}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interfaces
${fwcmd} add deny all from any to 0.0.0.0/8 via ${frame_if}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${tun_if}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${frame_if}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${tun_if}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${frame_if}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${tun_if}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${frame_if}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${tun_if}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${frame_if}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${tun_if}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
#
# natd interface should be frame relay netgraph output
{fwcmd} add divert natd all from any to any via ${frame_if}
# ??????
# ?? ??
# ??
# ??
# ??
# ??
#
# ??
#
# should this be here with PPP not doing nat
# or should I move some of the tun rules up earlier with PPP doing nat
{fwcmd} add divert natd all from any to any via ${tun_if}
# Stop RFC1918 nets on the outside interfaces
${fwcmd} add deny all from 10.0.0.0/8 to any via ${frame_if}
${fwcmd} add deny all from 10.0.0.0/8 to any via ${tun_if}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${frame_if}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${tun_if}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${frame_if}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${tun_if}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interfaces
${fwcmd} add deny all from 0.0.0.0/8 to any via ${frame_if}
${fwcmd} add deny all from 0.0.0.0/8 to any via ${tun_if}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${frame_if}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${tun_if}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${frame_if}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${tun_if}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${frame_if}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${tun_if}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${if}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${frame_ip} 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${frame_ip} 53 setup
${fwcmd} add pass udp from any to ${frame_ip} 53
${fwcmd} add pass udp from ${frame_ip} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${frame_ip} 80 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${frame_if} setup
${fwcmd} add deny log tcp from any to any in via ${tun_if} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from any 53 to ${frame_ip}
${fwcmd} add pass udp from ${frame_ip} to any 53
# Allow NTP queries out in the world
${fwcmd} add pass udp from any 123 to ${frame_ip}
${fwcmd} add pass udp from ${frame_ip} to any 123
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?710709BB8B02D311942E006067441810544275>