Date: Wed, 4 Aug 1999 12:26:02 -0700 (PDT) From: Brian <bri@sonicboom.org> To: "'Oscar Bonilla'" <obonilla@fisicc-ufm.edu> Cc: "David B. Aas" <dave@ciminot.com>, "'Ray Seals'" <rayseals@midwestis.com>, "'Thomas Uhrfelt'" <thomas.uhrfelt@plymovent.se>, questions@FreeBSD.ORG Subject: Re: Need consulting help with v3.2 firewall Message-ID: <Pine.BSF.4.10.9908041223420.5944-100000@adsl-216-102-203-44.dsl.snfc21.pacbell.net> In-Reply-To: <19990804095347.F698@fisicc-ufm.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Re the ICMP commentary below, if you want your boxes to not receive ping
or ping replies, I'd recomend the following, since there is useful data to
be received via ICMP.
Execution in this order is critical.
permit icmp from trusted hosts
deny echo request
permit icmp
Brian
On Wed, 4 Aug 1999, 'Oscar Bonilla' wrote:
> On Wed, Aug 04, 1999 at 09:39:29AM -0500, David B. Aas wrote:
> > Guys-
> >
> > Thanks for your suggestions. I tried both. It is better, but I still can't
> > get through.
> >
> > Oscar's suggestion substantially speeded up the response from the client.
>
> this means DNS is now getting through.
>
> > The clients still cannot get through. The clients are Win95/98 with my
> > FreeBSD box set as primary DNS.
> >
> > Ray's suggestion to telnet to my ISP's POP3 server works from the FreeBSD
> > box, but does not work from internal clients.
>
> this means you're not allowing pop3 connections from the inside.
>
> >
> > My FreeBSD box can do a "ping netscape.com" OK. My clients cannot.
>
> You're forbiding ICMP to get through from the inside net.
>
> >
> > I double and triple-checked my DNS. I originally had the FreeBSD box set up
> > as a Secondary DNS server. I changed it to be a caching DNS server off of my
> > ISP. That still didn't work.
> >
>
> DNS is not your problem.
>
> > I will attach my configuration files. I would appreciate any help.
>
> Here's your rc.firewall again with comments starting with ---> :
> more comments at bottom.
>
> ----------------------------------------------------------------------------
> # Setup system for firewall service.
> # $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $
> # Customized by Dave Aas 1999/07/20
>
> # Suck in the configuration variables.
> . /etc/rc.conf
>
> # Flush out the list before we begin.
> ipfw -f flush
>
> # Divert internal ip addresses
> ipfw add 100 divert natd all from any to any via ${natd_interface}
>
> # Allow all outbound traffic
> ipfw add 150 allow all from any to any out
>
> ---> I don't see the need for this rule.
>
> # Only in rare cases do you want to change these rules
> ipfw add 200 pass all from any to any via lo0
> ipfw add 300 deny all from any to 127.0.0.0/8
>
> # Stop spoofing
> ipfw add 400 deny all from ${inet}:${imask} to any in via ${oif}
> ipfw add 500 deny all from ${onet}:${omask} to any in via ${iif}
>
> # Allow TCP through if setup succeeded
> ipfw add 600 pass tcp from any to any established
>
> # Allow setup of incoming email
> ipfw add 700 pass tcp from any to ${oip} 25 setup
>
> ---> Here you're allowing access to the SMTP port on the Firewall
> ---> Are you sure about this?
>
> ipfw add 710 allow tcp from any to any 110 setup
>
> ---> This should let POP3 go through
>
> # Allow access to our DNS
> ipfw add 800 pass tcp from any to ${oip} 53 setup
>
> ---> This is only for zone transfers. Is your Firewall a
> ---> secondary DNS?
>
> # Allow access to our WWW
> ipfw add 900 pass tcp from any to ${oip} 80 setup
>
> ---> Do you run a WWW server on your Firewall?
>
> # Other webserver traffic
> ipfw add 910 allow tcp from any to ${oip} 80 in via ${oif}
> ipfw add 920 allow tcp from any to ${oip} 3128 in via ${oif}
>
> ---> Here you're allowing connections from the outside to WWW
> ---> and Squid I guess. Are you running this on your firewall?
>
> # Allow setup of outgoing TCP connections only
> ipfw add 1000 allow tcp from ${oip}:${omask} to any setup
> ipfw add 1100 allow tcp from ${iip}:${imask} to any setup
>
> ---> Here you're saying that your Firewall can connect to anyone
> ---> It wants to.
>
> # Allow maintenance from CI
> ipfw add 1200 allow tcp from ${maintip} to ${oip} 21 setup
> ipfw add 1300 allow tcp from ${maintip} to ${oip} 23 setup
>
> ---> Don't know about this one...
>
> # Allow DNS queries out in the world
> ipfw add 1400 pass udp from any 53 to any
> ipfw add 1500 pass udp from any to any 53
>
> ---> DNS can go through
>
> # Allow NTP queries out in the world
> ipfw add 1600 pass udp from any 123 to ${oip}
>
> ---> Allow folks to syncronize time with the Firewall
> ---> Is your firewall a time server?
>
> ipfw add 1700 pass udp from ${oip} to any 123
>
> ---> Allow the firewall to syncronize with anyone it wants.
>
> # Allow ping to or from the world
> ipfw add 1800 allow icmp from any to any icmptypes 0,8
>
> ---> You're allowing ICMP to go through
>
> # Allow POP3 setup
> ipfw add 1850 allow tcp from any 1024-65535 to any 110
> ipfw add 1860 allow tcp from ${inet}:${imask} to any 110
> ipfw add 1880 allow tcp from any 1024-65535 to any 1024-65535
> ipfw add 1890 allow udp from any 1024-65535 to any 1024-65535
>
> ---> I would change this 4 rules to be
> ---> ipfw add 1850 pass tcp from any to any 100 setup
>
> # Disallow setup of all other TCP connections
> ipfw add 2000 deny tcp from any to any setup
>
> ---> I would change this rule to be
> ---> ipfw add 2000 deny log tcp from any to any
> ---> ipfw add 2050 deny log udp from any to any
>
> # Allow ident in
> ipfw add 2100 allow tcp from any to any 113 in via ${oif}
> ipfw add 2200 allow tcp from any to any 113 out via ${oif}
>
> ---> Ident only to/from Firewall, but since we've denied everything
> ---> abobe it will never match. You should move this rule way up.
>
> # Everything else is denied as default.
> ----------------------------------------------------------------------------
>
> Notice the last rule loggin everyting? You should watch your
> console when you try to establish the pop session from the
> windows machine and see where it fails. Then think if this is
> normal and if you think it is open up that port.
>
> hope this helps.
>
> regards,
>
> -Oscar
>
>
> --
> For PGP Public Key: finger obonilla@fisicc-ufm.edu
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9908041223420.5944-100000>