Date: Fri, 4 Aug 2000 20:47:34 +1200 From: rshea@opendoor.co.nz To: freebsd-questions@FreeBSD.ORG Subject: NATD/"spoofing" and IPFW Message-ID: <200008040857.e748va105786@deborah.paradise.net.nz>
next in thread | raw e-mail | index | archive | help
Hi - I'm new to FreeBSD and trying to make my FreeBSD machine act as a gateway/firewall to the office LAN. The connection to the i'net is via a cable modem with a fixed IP address. I am using IPFW as the firewall and in rc.conf I have set firewall_type to "simple". The machines on the LAN use addresses in the range 192.168.10.xx. I 'borrowed' my firewall rules (I've tagged them onto the bottom of this email) from the very helpful site ... http://www.mostgraveconcern.com/freebsd/ ... but I find that machines within the LAN (W9x machines FWIW) cannot 'get out' if I retain the rules ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} (where fwcmd = /sbin/ipfw and oif = the name of my external nic). Now I thought I understood that NATD changed the ip addresses on packets from within the LAN before dispatching them to the I'net and vica versa on the way back ? If I'm right about that then these shouldn't cause any problems once the fiddle has been done ? And yet I find that removing only these rules makes the LAN machines quite happy with life whilst retaining them makes them 'blind'. Are these rules just not appropriate for LAN's that make use of the 192.168.10.xx series at all ? Any thoughts would be welcome. Below are the rules which I used to completely replace those which were in the 'simple' if statement in the default rc.firewall supplied with 3.4 (In the real thing I have obviously used my correct IP numbers). thanks Richard Shea. # Inside interface network and netmask and ip iif="ep0" inet="10.0.0.0" imask="255.255.255.0" iip="10.0.0.1" # My ISP's DNS servers dns1="123.45.67.42" dns2="123.54.76.24" # Stop spoofing ${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 10.0.0.0/8 out via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif} # Allow established connections ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag ### TCP SETUP RULES # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup # SMTP - Allow access to sendmail for incoming e-mail ${fwcmd} add pass tcp from any to any 25 setup # FTP - Allow incoming data channel for outgoing connections, # Reject&Log all incoming control connections ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup ### UDP RULES # DNS - Allow queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 ${fwcmd} add pass udp from any to ${dns2} 53 ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any # SMB - Allow local traffic ${fwcmd} add pass udp from any to any 137-139 via ${iif} # NTP - Allow server-to-server on outside interface, client-to-server # on inside interface ${fwcmd} add pass udp from any 123 to any 123 via ${oif} ${fwcmd} add pass udp from any 123 to any via ${iif} ${fwcmd} add pass udp from any to any 123 via ${iif} # TRACEROUTE - Allow outgoing, but not incoming ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface ${fwcmd} add pass icmp from any to any via ${iif} # Allow outgoing pings, but not incoming ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add deny icmp from any to any ### MISCELLANEOUS REJECT RULES # Reject broadcasts from outside interface ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} # Reject&Log SMB connections on outside interface ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} # Reject&Log all other connections from outside interface ${fwcmd} add 65000 deny log ip from any to any via ${oif} ***************************************************** Open Door Ltd PO Box 119-46 Wellington PH 04 384 7639 FX 04 384 7672 ***************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008040857.e748va105786>