From owner-freebsd-net Sun Mar 4 21:14:27 2001 Delivered-To: freebsd-net@freebsd.org Received: from online.tmx.com.au (online.tmx.com.au [192.150.129.1]) by hub.freebsd.org (Postfix) with ESMTP id C9E4937B71A for ; Sun, 4 Mar 2001 21:14:17 -0800 (PST) (envelope-from mtaylor@bytecraft.com.au) Received: from melexc01.bytecraft.com.au ([203.9.250.249]) by online.tmx.com.au (8.9.3/8.8.8) with ESMTP id QAA24322 for Mon, 5 Mar 2001 16:14:03 +1100 (EST) Received: by MELEXC01 with Internet Mail Service (5.5.2448.0) id ; Mon, 5 Mar 2001 16:14:30 +1100 Message-ID: <710709BB8B02D311942E006067441810544275@MELEXC01> From: Murray Taylor To: "'freebsd-net@freebsd.org'" Subject: firewalling with NAT and PPP Date: Mon, 5 Mar 2001 16:13:35 +1100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org More questions as I attempt to get over the "learning cliff"! Do I run PPP with its nat actions enabled in the following setup or do I run natd on both interfaces NOTE: I'm still waiting for my hardware to turn up for the frame relay interface, so I'm just trying to get ahead... |============================| | ++++++++ | frame relay <- net x.y.z.0/26 ->| sr0<->ng0 <-> + ipfw + | | + & + | modem <- dynamic addr --->| tun0 <------> + natd + | | ++++++++ | | ^ | | | | internal net <--- 10.1.2.0/16 ->| fxp0 <------------ | | | future x.y.z.n machines <------>| fxp1 <--- ?? bridge ?? | | | | FreeBSD 4.2 release | |============================| My proposed firewall rules are like this so far ;-) (see below) Please see the area near the Big ?? mark... And later on I could be 'bridging' the x.y.z.0/26 net out 'sideways' to other machines that need to be directly visible on the internet via a fxp1 port. - Is bridging the appropriate method ?? - Do the other machines benefit from this firewall or do I need to make individual ones on the extra machines?? I'm in the process of acquiring the new FreeBSD Corporate Networkers Guide which I hope will become another useful "FM to R" on the bookshelf, but it appears to be a long snail trail from USofA to the Land Downunder ;-( cheers Murray Taylor Project Engineer Bytecraft P/L +61 3 9587 2555 +61 3 9587 1614 fax mtaylor@bytecraft.com.au ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 # add deny all rule (current chicken/learning mode kernel is allow all from any to any) ###$(fxcmd) add 65000 deny all from any to any # This is a prototype setup for a simple firewall. Configure this # machine as a named server and ntp server, and point all the machines # on the inside at this machine for those services. ############ # outside interface network and netmask and ip frame_if="ng0" frame_net="x.y.z.0" frame_mask="255.255.255.192" frame_ip="x.y.z.1" # tun modem interface tun_if="tun0" # inside interface network and netmask and ip my_if="fxp0" my_net="10.1.2.0" my_mask="255.255.0.0" my_ip="10.1.2.30" # Stop spoofing ${fwcmd} add deny all from $(my_net):$(my_mask) to any in via $(frame_if) ${fwcmd} add deny all from $(my_net):$(my_mask) to any in via $(tun_if) ${fwcmd} add deny all from $frame_net):$frame_mask) to any in via $(my_if) # Stop RFC1918 nets on the outside interfaces ${fwcmd} add deny all from any to 10.0.0.0/8 via ${frame_if} ${fwcmd} add deny all from any to 10.0.0.0/8 via ${tun_if} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${frame_if} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${tun_if} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${frame_if} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${tun_if} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interfaces ${fwcmd} add deny all from any to 0.0.0.0/8 via ${frame_if} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${tun_if} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${frame_if} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${tun_if} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${frame_if} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${tun_if} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${frame_if} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${tun_if} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${frame_if} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${tun_if} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. # # natd interface should be frame relay netgraph output {fwcmd} add divert natd all from any to any via ${frame_if} # ?????? # ?? ?? # ?? # ?? # ?? # ?? # # ?? # # should this be here with PPP not doing nat # or should I move some of the tun rules up earlier with PPP doing nat {fwcmd} add divert natd all from any to any via ${tun_if} # Stop RFC1918 nets on the outside interfaces ${fwcmd} add deny all from 10.0.0.0/8 to any via ${frame_if} ${fwcmd} add deny all from 10.0.0.0/8 to any via ${tun_if} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${frame_if} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${tun_if} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${frame_if} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${tun_if} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interfaces ${fwcmd} add deny all from 0.0.0.0/8 to any via ${frame_if} ${fwcmd} add deny all from 0.0.0.0/8 to any via ${tun_if} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${frame_if} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${tun_if} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${frame_if} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${tun_if} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${frame_if} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${tun_if} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${if} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${frame_ip} 25 setup # Allow access to our DNS ${fwcmd} add pass tcp from any to ${frame_ip} 53 setup ${fwcmd} add pass udp from any to ${frame_ip} 53 ${fwcmd} add pass udp from ${frame_ip} 53 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to ${frame_ip} 80 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${frame_if} setup ${fwcmd} add deny log tcp from any to any in via ${tun_if} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${frame_ip} ${fwcmd} add pass udp from ${frame_ip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to ${frame_ip} ${fwcmd} add pass udp from ${frame_ip} to any 123 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message