Date: Wed, 4 Jul 2001 18:31:41 +0200 From: "Christoph Mathys" <cmathys@bluewin.ch> To: "FreeBSD" <questions@freebsd.org> Subject: ipf an DoD Message-ID: <ABELIDDNMBPCBGKEFICPEEJJCBAA.cmathys@bluewin.ch>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_0000_01C104B7.920B60B0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
hello everybody
I have a problem with ipf and the Dial on Demand-feature. until now
I havn't got any idea how to solve the problem. I use user-ppp to connect
to the internet, ipf for portfiltering and ipnat for Network adress
translation. It all works all right if I reload the rules after booting up.
but right after boot-up the traffic I'm not able to bring the link up by a
request to port 80. I'm able to ping the 4.3BSD-Gateway on the internal
interface,
but I can't connect out until I reloaded the rules (ipf -Fa -f
/etc/iptest.rules).
To bring the link up I send a request for an external
resource port 80 to the BSD-Gateway, with telnet most of the time (telnet
123.123.123.123 80).
I have inclouded the ppp.conf, iptest.rules (the ipf-rules), ipnat.rules
(ipnat rules)
and rc.conf. I configured the Kernel with the option IPFILTER,
IPFILTER_DEFAULT_BLOCK
and IPFILTER_LOG. I hape somebody can help me. If you need some additional
information, please
mail me (mailto:xeon@gmx.ch)
Chris
------=_NextPart_000_0000_01C104B7.920B60B0
Content-Type: application/octet-stream;
name="ipnat.rules"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="ipnat.rules"
#File Date June the 23th 2001 Time:0016 =0A=
#(c) C. Mathys =0A=
map tun0 192.168.10.0/24 -> 0/32 proxy port ftp ftp/tcp=0A=
map tun0 192.168.10.0/24 -> 0/32 portmap tcp/udp 20000:30000=0A=
=0A=
#This maps all traffic comming from 192.168.10.0 to the tun0-device=0A=
#0/32 means that the adress to which the packet is translated is the =0A=
#one received from isp. portmap menas that the sourceport of an =0A=
#outgoing packet is translated to a value between the 2 specified.=0A=
------=_NextPart_000_0000_01C104B7.920B60B0
Content-Type: application/octet-stream;
name="iptest.rules"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="iptest.rules"
#loopback interface=0A=
pass in quick on lo0 all=0A=
pass out quick on lo0 all=0A=
=0A=
#internal interface=0A=
pass in quick on ed0 all=0A=
pass out quick on ed0 all=0A=
=0A=
#group selection=0A=
block in quick on tun0 all head 10 #anti spoofing=0A=
block out quick on tun0 all head 20 #outgoing traffic=0A=
=0A=
=0A=
#anti spoofing rules on tun0 for incoming traffic=0A=
block in log quick on tun0 from 127.0.0.0/8 to any group 10 #loopback =
subnet=0A=
block in log quick on tun0 from 169.254.0.0/16 to any group 10 #auto =
systemconfig=0A=
block in log quick on tun0 from 172.16.0.0/16 to any group 10 #private =
adress space=0A=
block in log quick on tun0 from 192.168.0.0/16 to any group 10 #private =
adress space=0A=
block in log quick on tun0 from 224.0.0.0/3 to any group 10 #multicast=0A=
=0A=
#outgoing traffic on tun0=0A=
=0A=
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port =3D 20 =
flags S keep state group 20 #ftpdata=0A=
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port =3D 21 =
flags S keep state group 20 #ftp =0A=
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port =3D 25 =
flags S keep state group 20 #smtp =0A=
pass out quick on tun0 proto udp from 192.168.10.0/24 to any port =3D 53 =
keep state group 20 #dns=0A=
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port =3D 53 =
flags S keep state group 20 #dns=0A=
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port =3D 80 =
flags S keep state group 20 #http=0A=
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port =3D =
110 flags S keep state group 20 #pop3=0A=
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port =3D =
443 flags S keep state group 20 #https =0A=
pass out quick on tun0 proto icmp from 192.168.10.0/24 to any keep state =
group 20=0A=
pass out quick on tun0 proto tcp from 192.168.10.0/24 to any port =3D =
7000 flags S keep state group 20 #irc-chat on bluewin=0A=
#pass out log quick on tun0 from 192.168.10.0/24 to any =0A=
------=_NextPart_000_0000_01C104B7.920B60B0
Content-Type: application/octet-stream;
name="rc.conf"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="rc.conf"
=0A=
# -- sysinstall generated deltas -- #=0A=
# Created: Sun Jun 17 00:45:58 2001=0A=
# Enable network daemons for user convenience.=0A=
# This file now contains just the overrides from /etc/defaults/rc.conf=0A=
# please make all changes to this file.=0A=
network_interfaces=3D"lo0 ed0"=0A=
defaultrouter=3D"NO"=0A=
gateway_enable=3D"YES"=0A=
hostname=3D"hwbsd.spiele.local"=0A=
ifconfig_ed0=3D"inet 192.168.10.81 netmask 255.255.255.0"=0A=
inetd_enable=3D"YES"=0A=
kern_securelevel_enable=3D"NO"=0A=
linux_enable=3D"YES"=0A=
moused_enable=3D"YES"=0A=
moused_port=3D"/dev/cuaa0"=0A=
moused_type=3D"auto"=0A=
sendmail_enable=3D"NO"=0A=
sshd_enable=3D"YES"=0A=
router_enable=3D"NO"=0A=
ipfilter_enable=3D"YES"=0A=
ipfilter_rules=3D"/etc/iptest.rules"=0A=
ipfilter_flags=3D""=0A=
ipnat_enable=3D"YES"=0A=
ipnat_rules=3D"/etc/ipnat.rules"=0A=
ipmon_enable=3D"YES"=0A=
ipmon_flags=3D"-D /var/log/firewall.log"=0A=
ppp_enable=3D"YES"=0A=
ppp_mode=3D"auto"=0A=
ppp_nat=3D"NO"=0A=
ppp_profile=3D"bluewin"=0A=
ppp_user=3D"root"=0A=
------=_NextPart_000_0000_01C104B7.920B60B0
Content-Type: application/octet-stream;
name="ppp.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="ppp.conf"
#################################################################
# PPP Sample Configuration File
# Originally written by Toshiharu OHNO
# Simplified 5/14/1999 by wself@cdrom.com
#
# See /usr/share/examples/ppp/ for some examples
#
# $FreeBSD: src/etc/ppp/ppp.conf,v 1.2.2.4 2001/02/22 23:28:42 brian Exp $
#################################################################
default:
set device /dev/cuaa1
set log Phase Chat LCP IPCP CCP tun command
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
\"\" AT OK-AT-OK \\ATDT\\T TIMEOUT 40 CONNECT"
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
set timeout 300 # 5 minute idle timer (the default)
disable lqr
set log +tcp/ip
#dialup filter
set filter dial 0 permit 0 0 tcp dst eq 80
set filter dial 1 deny 0/0 0/0
#keep alive filter
set filter alive 0 deny 0 0 udp dst eq 137 #NETBIOS name service
set filter alive 1 deny 0 0 udp dst eq 138 #NETBIOS datagramm service
set filter alive 2 deny 0 0 udp dst eq 139 #NETBIOS session service
set filter alive 3 deny 0 0 udp src eq 137
set filter alive 4 deny 0 0 udp src eq 138
set filter alive 5 deny 0 0 udp src eq 139
set filter alive 6 deny 0 MYADDR icmp #pings to me from outside
set filter alive 7 deny 0 0 udp src eq 520 #routed
set filter alive 8 deny 0 0 udp dst eq 520 #routed
set filter alive 9 deny 0 0 udp src eq 513 #rwhod
set filter alive 10 deny 0 0 udp src eq 525 #timed
set filter alive 11 deny 0 205.188.179.233/32 #ICQ-server 1
set filter alive 12 deny 0 64.12.162.57 #ICQ-Server 2
set filter alive 13 permit 0/0 0/0
bluewin:
set phone 2365482365
set authname myusername
set authkey mypassword
add! default HISADDR # Add a (sticky) default route
enable dns # request DNS info (for resolv.conf)
------=_NextPart_000_0000_01C104B7.920B60B0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ABELIDDNMBPCBGKEFICPEEJJCBAA.cmathys>