Date: Sun, 30 Nov 2003 01:17:45 -0800 (PST) From: Michael Lopez <bsdfreakish@yahoo.com> To: freebsd-questions@freebsd.org Subject: ipfw + ppp config problem Message-ID: <20031130091745.48280.qmail@web20705.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hi guys, I need help for setting up my ipfw, at the moment I’ve got 2 computers one running freebsd 4.9 stable and the other one is windows XP connecting to the internet using dial up (wich is ppp) with static ip, I already compile the kernel to enable firewall as well seting up the rc.conf and the firewall rules (firewall_rules) as describe below:
rc.conf
....
gateway_enable="YES"
inetd_enable="YES"
#################################################
# Firewall Configuration
#
firewall_enable=YES
firewall_quiet=YES
firewall_type=/usr/local/etc/firewall_rules
firewall_flags="-p cpp \
-D INT_IF=rl0 \
-D INT_ADDR=192.168.0.1 \
-D INT_NET=192.168.0.0/16 \
-D EXT_IF=tun0 \
-D EXT_ADDR=202.24.54.145 \
-D EXT_NET=202.24.54.145/27 \
-D LOG_DROPPED_PACKETS \
-D ALLOW_ALL_ICMP \
-D ALLOW_ACTIVE_FTP \
-D ALLOW_TRACEROUTE \
-D LOCAL_NAME_SERVER \
-D LOCAL_TIME_SERVER \
-D LOCAL_VPN_SERVER \
-D ROUTE_INTERNAL_NET "
# Enable firewall debugging with8
# sysctl -w net.inet.ip.fw.verbose=1
# and look at /var/log/security
#################################################
# NAT Configuration
#
# run NAT on the public interface
#natd_enable=YES
#natd_interface=tun0
#natd_flags="-log_denied -use_sockets"
# for testing NAT
#natd_flags="$natd_flags -verbose"
firewall_rules
#ifdef DROP_SILENT
# ifdef LOG_DROPPED_PACKETS
# define BLOCK_TCP deny log
# define BLOCK_UDP deny log
# define BLOCK_ICMP deny log
# else
# define BLOCK_TCP deny
# define BLOCK_UDP deny
# define BLOCK_ICMP deny
# endif
#else
# ifdef LOG_DROPPED_PACKETS
# define BLOCK_TCP reset log
# define BLOCK_UDP unreach port log
# define BLOCK_ICMP unreach filter-prohib log
# else
# define BLOCK_TCP reset
# define BLOCK_UDP unreach port
# define BLOCK_ICMP unreach filter-prohib
# endif
#endif
/*** IP ******************************************************/
// filter out all bogus packets at the external interface
add 00990 skipto 2100 ip from any to EXT_ADDR in recv EXT_IF
add 00999 deny all from any to any in recv EXT_IF
// hand off packets to natd; they will be reinjected, with the address
// translated, into the next rule
#ifdef DIVERT_TO_NATD
#add 01000 divert natd ip from any to any via EXT_IF
#endif
// prevent spoofing
add 02100 deny all from INT_NET to any in via EXT_IF
add 02110 deny all from EXT_NET to any in via INT_IF
#ifdef ROUTE_INTERNAL_NET
// allow all packets from the internal network, on any interface
add 02300 allow all from INT_NET to any
#else
add 02300 allow all from INT_ADDR to INT_NET via INT_IF
#endif
#ifdef LOCAL_VPN_SERVER
add 02400 allow gre from any to any via EXT_IF
#endif
/*** TCP ****************************************************/
// allow all established connections
add 03000 allow tcp from any to any established
// allow outgoing TCP setups from the local host, and from the internal
// network
add 03100 allow tcp from EXT_ADDR to any out via EXT_IF
//add 03110 allow tcp from INT_NET to any in recv INT_IF setup
// allow the return TCP connection for FTP data session
#ifdef ALLOW_ACTIVE_FTP
add 03200 allow tcp from any 20 to EXT_ADDR in recv EXT_IF setup
add 03210 allow tcp from any 20 to INT_NET // out xmit INT_IF setup
#endif
// allow SMTP to the local host
add 03300 allow tcp from any to EXT_ADDR smtp in recv EXT_IF setup
// allow SSH to the local host
add 03400 allow tcp from any to EXT_ADDR ssh in recv EXT_IF setup
#ifdef LOCAL_NAME_SERVER
// allow zone transfers to the outside world
add 03500 allow tcp from any to EXT_ADDR domain in recv EXT_IF setup
#endif
#ifdef LOCAL_VPN_SERVER
// allow traffic to PPTP daemon
add 03600 allow tcp from any to EXT_ADDR pptp in recv EXT_IF setup
// all other TCP connections are blocked
add 03900 BLOCK_TCP tcp from any to any in via EXT_IF
/*** UDP ****************************************************/
// allow client DNS queries to the outside from this machine
// (domain = DNS port number)
add 04000 allow udp from any domain to EXT_ADDR
add 04010 allow udp from EXT_ADDR to any domain
#ifdef LOCAL_NAME_SERVER
// allow client DNS queries from the internal net to this name server
add 04020 allow udp from INT_NET to INT_ADDR domain
add 04030 allow udp from INT_ADDR domain to INT_NET
// allow server DNS queries to this nameserver from the Internet
add 04040 allow udp from any to EXT_ADDR domain
add 04050 allow udp from EXT_ADDR domain to any
#endif
#ifdef LOCAL_TIME_SERVER
// allow NTP to/from the local host and out to the local network
add 04100 allow udp from any ntp to EXT_ADDR ntp
add 04110 allow udp from EXT_ADDR ntp to any ntp
add 04120 allow udp from INT_ADDR ntp to INT_NET ntp
#endif
#ifdef ALLOW_TRACEROUTE
// allow traceroutes
add 04300 allow udp from EXT_ADDR to any 33434-33534
add 04310 allow udp from INT_NET to any 33434-33534
#endif
// block everything else
add 04900 BLOCK_UDP udp from any to any in via EXT_IF
/*** ICMP **************************************************/
#ifdef ALLOW_ALL_ICMP
// allow all ICMP packets to and from anywhere
add 05000 allow icmp from any to any
#else
// allow only essential ICMP packets to and from the local host
add 05000 allow icmp from EXT_ADDR to any icmptype 3,4,11,12
add 05010 allow icmp from any to EXT_ADDR icmptype 3,4,11,12
// as well as to/from the internal network
add 05100 allow icmp from INT_NET to any icmptype 3,4,11,12
add 05110 allow icmp from any to INT_NET icmptype 3,4,11,12
#endif
/*** EVERYTHING ELSE IS DENIED *********/
#ifdef LOG_DROPPED_PACKETS
add 65000 deny log all from any to any
#else
add 65000 deny all from any to any
#endif
using reference from http://renaud.waldura.com/doc/freebsd/firewall/
but I’d slightly modified the nat and the rules as you can see I commented out the NAT configuration and at rule 990 I set it to skip to rule 2100 instead rule 1000 since the nat didn’t work well with ppp (it can’t recognize the tun0 device from the start up and when i tried manually to add it after connected using ppp the freebsd can't connect to the net too)
as the result using this firewall only my freebsd the only one that connect to net (but both box able to communicate well, ping, sshd, ftp, etc - LAN), questions are:
1.) Any body (who’s expert with ipfw) knows what’s wrong with my configuration ?
2.) Is there any possibility to use nat (not user ppp –nat) to work with ipfw + ppp,
references, urls, are welcomed. (by the way I’ve browse most site in google.com/bsd regarding this “ipfw + ppp + nat but then again only the reference I used above that works pretty much close to what I need...i think).
Thank you once again,
Regards,
Mike
---------------------------------
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031130091745.48280.qmail>