Date: Sun, 17 Oct 1999 14:06:52 -0400 From: "Francisco Reyes" <fran@reyes.somos.net> To: "Ken Kyler" <ken@kyler.com> Cc: "FreeBSD questions" <questions@freebsd.org> Subject: RE: Firewalls for Morons Message-ID: <199910171804.OAA24082@sanson.reyes.somos.net>
next in thread | raw e-mail | index | archive | help
On Sun, 17 Oct 1999 13:42:43 -0400, Ken Kyler wrote:
When replying try to remember to include the list.
>> Do you have Gateway set in /etc/rc.conf? You need: gateway_enable="YES"
>Yes, that is set.
>> Can you get to the net from the FreeBSD box?
>Not when firewall_type="SIMPLE" - I can't ping anything either outside the
>net or inside from the FreeBSD box. I can when firewall_type="OPEN".
One thing at a time.
Ping uses ICMP packets which the "simple" setup doesn't allow by default.
Add to /etc/rc.firewall
#Allow pinging
${fwcmd} add pass icmp from any to any
After that try pinging again and check if you can ping from the FreeBSD box the outside world and if you
can ping from the internal network to the FreeBSd box.
>> What operation are you trying from the internal network and what
>> is the error?
>I'm not sure what you mean. Mail, http, etc time out when
>firewall_type="SIMPLE".
if NOTHING is working, which seems to be what you are describing, then perhaps you have not initialised
the variables from the simple profile properdly.
Check the part that looks like:
# set these to your outside interface network and netmask and ip
oif="abc" #set that to the name of your outside interface. If using modem I use "tun0"
onet="aaa.bbb.ccc.0"
omask="255.255.255.0"
oip="aaa.bbb.ccc.##"
# set these to your inside interface network and netmask and ip
iif="ed1"
inet="10.0.0.0"
imask="255.255.255.0"
iip="10.0.0.10"
The simple profile is somewhat restrictive, but if I remember correctly you should at least be able to
browse web pages from your clients to the to the world.
I also think that mail traffic to outside pop/smtp shoud work with the default simple setup.
>> If you are not running your own DNS do you have the name servers
>> from your ISP listed in /etc/resolv.conf?
>Yes - exactly as given by the ISP.
>
>> Are the computers in the internal network refering to the FreeBSD box for
>> DNS or referring to your ISPs name servers?
>for DNS, they point to the ISP. They point to the FreeBSD box as the
>gateway.
Good.
Later on after you have all working you may want to play with setting up at least a caching DNS. This is
nicely explained in the Complete FreeBSD. After that they you could have your local computers have the
FreeBSD as the primary name server and the ISP as the second.
>Everything works fine (meaning mail gets through, http, etc) when
>firewall_type="OPEN" but as soon as I set it to "SIMPLE" it locks up tight.
Again simple is somewhat closed, but some services should work. If nothing works I tend to think the
variables to your interfaces may not have been set properly.
After you add the icmp line then try to get ping working from your internal network to your FreeBSD and
from the FreeBSD to the outside world. Once that is working then you can try to get the rest of thing to
work.
One thing that helps is to add a rule before the last with:
$fwcmd add deny log ip from any to any
This way you can see where things are failing.
Another way to learn is the opposite. Put at the beginning
$fwcmd add allow log ip from any to any
This last rule will allow you to see what traffic is going through and play with your rules while at the
same time allowing things to work.
One approach would be to start with the "allow log" all the way up in the list. Then move it down and
check right after it was moved if the lines above it stop packets which you expected to go through and
see what you need to do to fix them.
One big gotcha to look for is some of the rules to not let non-routable IPs out may be stopping all your
traffic dead.
This is the section that reads:
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
#$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
#$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
Notice how the 10.0.0.0 is commented. This was stopping all my traffic in the internal network, even
though that it is intended to only affect the external interface.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199910171804.OAA24082>