From owner-freebsd-questions Wed Jan 15 17:17:35 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D3B137B401 for ; Wed, 15 Jan 2003 17:17:28 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85C3443ED8 for ; Wed, 15 Jan 2003 17:17:27 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (f383ba2fbb6c4255eeb7d9957e49a5c3@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h0G188s4001889 for ; Wed, 15 Jan 2003 19:08:08 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h0G188GW001888 for freebsd-questions@freebsd.org; Wed, 15 Jan 2003 19:08:08 -0600 (CST) Date: Wed, 15 Jan 2003 19:08:08 -0600 From: Redmond Militante To: freebsd-questions@freebsd.org Subject: ipfw/natd questions Message-ID: <20030116010808.GA1867@darkpossum> Reply-To: Redmond Militante Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e" Content-Disposition: inline User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Tofu: The other white meat substitute. Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable now i'm trying to set up a gateway box using ipfw/natd. i have 2 test machi= nes - machine 1 has two nics, one's an integrated intel 1000 pro, the other= is an old pci 3com 3c905b. machine 1 has a static ip and hostname. machine= 2 is virtually identical except it has only one nic - the intel 1000 pro i= ntegrated. machine 2 also has a static ip and hostname. i'd like machine 1 = to act as a gateway/packet filtering firewall/natd box. i'd like to hook up= machine 2 to the internal network interface card of machine 1 and be able = to filter/log/divert packets bound for machine 2 through ipfw/natd on machi= ne 1. i've been basically following the instructions at http://www.mostgraveconce= rn.com/freebsd/ for 'setting up a dual-homed host' - on machine 1, ifconfig returns xl0: flags=3D8843 mtu 1500 options=3D3 inet 129.x.x.35 netmask 0xffffff00 broadcast 129.x.x.255 inet6 fe80::210:5aff:fec6:8bcb%xl0 prefixlen 64 scopeid 0x1=20 ether 00:10:5a:c6:8b:cb media: Ethernet autoselect (100baseTX ) status: active xl1: flags=3D8843 mtu 1500 options=3D3 inet 10.20.155.1 netmask 0xffffff00 broadcast 10.20.155.255 inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2=20 ether 00:06:5b:80:98:5b media: Ethernet autoselect (none) status: no carrier i'd like xl0 to be my external nic, and xl1 to be my internal nic -on machine 1, my /etc/rc.conf reads ifconfig_xl0=3D"inet 129.x.x.35 netmask 255.255.255.0" ifconfig_xl1=3D"inet 10.20.155.1 netmask 255.255.255.0" gateway_enable=3D"YES" #required for ipfw support firewall_enable=3D"YES" firewall_script=3D"/etc/rc.ipfw" firewall_type=3D"open" firewall_quiet=3D"NO" #change to yes once happy with rules firewall_logging_enable=3D"YES" #extra firewalling options log_in_vain=3D"YES" tcp_drop_synfin=3D"YES" icmp_drop_redirect=3D"YES" natd_program=3D"/sbin/natd" natd_enable=3D"YES" natd_interface=3D"xl0" natd_flags=3D"-f /etc/natd.conf" - machine 1's kernel has been recompiled with the following options #to enable ipfirewall with default to deny all packets options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=3D10 #to hide the firewall from traceroute options IPSTEALTH options IPDIVERT #to hide from nmap options TCP_DROP_SYNFIN - machine's firewall_script, /etc/rc.ipfw, is taken from the tutorial mostl= y verbatim, the only part of it i changed was # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then =2E /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then =2E /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type=3D"${1}" fi # Firewall program fwcmd=3D"/sbin/ipfw" # Outside interface network and netmask and ip oif=3D"xl0" onet=3D"129.x.x.1" omask=3D"255.255.255.0" oip=3D"129.x.x.35" # Inside interface network and netmask and ip iif=3D"xl1" inet=3D"10.20.155.0" imask=3D"255.255.255.0" iip=3D"10.20.155.1" # My ISP's DNS servers dns1=3D"129.x.x.1" dns2=3D"165.x.x.21" # Flush previous rules ${fwcmd} -f flush # Allow loopbacks, deny imposters ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. ${fwcmd} add divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow established connections with minimal overhead ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag ### TCP RULES # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup # SMTP - Allow access to sendmail for incoming e-mail ${fwcmd} add pass tcp from any to any 25 setup # FTP - Allow incoming data channel for outgoing connections, # reject & log all incoming control connections ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup ### UDP RULES # DNS - Allow queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 ${fwcmd} add pass udp from any to ${dns2} 53 ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any # SMB - Allow local traffic ${fwcmd} add pass udp from any to any 137-139 via ${iif} # SYSLOG - Allow machines on inside net to log to us. ${fwcmd} add pass log udp from any to any 514 via ${iif} # NTP - Allow queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${oif} ${fwcmd} add pass udp from any 123 to any via ${iif} ${fwcmd} add pass udp from any to any 123 via ${iif} # TRACEROUTE - Allow outgoing ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface ${fwcmd} add pass icmp from any to any via ${iif} # Allow outgoing pings ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Head= er ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add deny icmp from any to any ### MISCELLANEOUS REJECT RULES # Reject broadcasts from outside interface ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} # Reject&Log SMB connections on outside interface ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} # Reject&Log all other connections from outside interface ${fwcmd} add 65000 deny log ip from any to any via ${oif} # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. - i've run an ethernet cable from xl1 - integrated intel 1000 pro nic on ma= chine 1 - to machine 2's nic. i've edited machine 2's /etc/rc.conf so that = it points to the internal nic - xl1 on machine 1 as it's default gateway: defaultrouter=3D"10.20.155.1" hostname=3D"machine2.hostname.com" ifconfig_xl0=3D"inet 129.x.x.20 netmask 255.255.255.0" at the moment, it's not working. on machine 2, i can't ping www.freebsd.org - i get 'hostname lookup failure= ', i can't ping xl0 - external nic on machine 1 - ping 129.x.x.35 gives me = a 'host is down message' machine 2 can ping it's own static ip successfully - ping 129.x.x.20 works machine 2 can ping its own hostname successfully - ping machine2.hostname.c= om works sorry if this is long, i've been messing with this all day and i think i'm = doing it right. can you guys tell if i'm missing something obvious? thanks --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+JgX3FNjun16SvHYRAuzAAKCxNz8w+hPEV2akRHjaLRZgEnmiyQCff72f L37u/V+Fcm30rkWQa7ar+qk= =tTz+ -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message