Date: Sun, 23 May 1999 23:45:15 -0500 From: Michael Maxwell <drwho@xnet.com> To: freebsd-questions@freebsd.org Subject: ipfw/nat/network question Message-ID: <19990523234514.A26661@atlas.topquark.org>
next in thread | raw e-mail | index | archive | help
--+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii I have attached a copy of my /etc/rc.firewall. I would like any advice I can get on how to proceed with this.... I need to get machines on my local network (192.168.16.0) to talk to the 'net through the FreeBSD machine (192.168.16.1, inside). I'm simply stuck on this one... I don't know how to get natd working properly with this; if I enabled natd on here, it blocks connections to/from my LAN, etc... I'm sure it's something small that I'm forgetting or missing here, so if anyone could help me out on this, I'd be grateful. BTW: Please send your responses to "drwho@xnet.com" -- I'm not currently subscribed to the list.... Thanks. -- Michael Maxwell <drwho @ xnet.com> | http://www.xnet.com/~drwho/ -- Stop the illegal attacks on Serbia NOW! -- --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="rc.firewall" # rc.firewall 5/19/1999 # Set quiet mode if requested if [ "x$firewall_quiet" = "xYES" ]; then fwcmd="/sbin/ipfw -q" else fwcmd="/sbin/ipfw" fi # Flush list $fwcmd -f flush # Don't change these two: $fwcmd add 1000 pass all from any to any via lo0 $fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 # Outside network interface: pppif="ppp0" pppnet="205.243.140.0" pppmask="255.255.255.128" # ? pppip="205.243.140.183" # Internal network interface: lanif="xl0" lannet="192.168.16.0" lanmask="255.255.255.0" lanip="192.168.16.1" # Local gateway: langw="192.168.16.1" # ISP's gateway: pppgw="198.147.221.1" # Info for "trusted" machines on outside networks: typhoon="198.147.221.70" flood="198.147.221.37" ns1="198.147.221.34" ns2="198.147.221.35" # Natd-specific stuff: # What to do with local machines who want out? $fwcmd add divert natd all from ${lannet}:${lanmask} to ${pppip} via ${lanif} # Prevent address spoofing: $fwcmd add 10000 deny log all from ${lannet}:${lanmask} to any in via ${pppif} $fwcmd add 10100 deny log all from ${pppip} to any in via ${lanif} # Stop RFC 1918 nets on outside interface: $fwcmd add 10200 deny log all from 192.168.0.0:255.255.0.0 to any via ${pppif} $fwcmd add 10300 deny log all from 172.16.0.0:255.240.0.0 to any via ${pppif} $fwcmd add 10400 deny log all from 10.0.0.0:255.0.0.0 to any via ${pppif} ########################### # TCP-specific rules ########################### # Allow TCP through if setup succeeded: $fwcmd add 10500 pass tcp from any to any established # Allow anything out from our own network (should we divert)?: $fwcmd add 10600 pass tcp from ${lannet}:${lanmask} to any out via ${pppif} # Allow all ssh connections: $fwcmd add 10700 pass log tcp from any to any 22 setup # Allow setup of incoming mail: $fwcmd add 10800 pass tcp from any to any 25 setup $fwcmd add 10850 pass tcp from any to any 110 setup # POP3 # Allow only local access to NNTP server. Also put a line in here for flood. $fwcmd add 10900 pass tcp from ${lannet}:${lanmask} to ${lanip} 119 setup # Allow internal machines to access outside NNTP servers: $fwcmd add 11000 pass tcp from ${lannet}:${lanmask} to any 119 setup # Allow our machines access to control and data ftp server ports outside: $fwcmd add 11100 pass tcp from ${lannet}:${lanmask} to any 20 setup $fwcmd add 11200 pass tcp from ${lannet}:${lanmask} to any 21 setup # Allow only LOCAL machines to access our web servers(or other web servers): $fwcmd add 11300 pass tcp from ${lannet}:${lanmask} to any 80 setup # Work with squid cache (don't have this setup yet): # $fwcmd add 11400 pass tcp from ${pppip} to any 8080 via ${pppif} setup # Allow squid to talk to anything: # $fwcmd add 11500 pass tcp from ${pppip} to any via ${pppif} setup # Allow local machines to talk to squid: # $fwcmd add 11600 pass tcp from ${lannet}:${lanmask} to ${lanip} 8000 via ${lanif} setup # Allow DNS zone transfers: $fwcmd add 11700 pass tcp from any to ${lanip} 53 setup $fwcmd add 11710 pass tcp from any to ${pppip} 53 setup # Generally allow all local machines access to the outside world: # DOES NOT WORK... $fwcmd add 11800 pass tcp from ${lannet}:${lanmask} to any out via ${pppif} setup # Reject and log setup of all other connections from outside: $fwcmd add 11900 deny log tcp from any to any in via ${pppif} setup ############################ # UDP Specific (DENY) ############################ ############################ # UDP Specicic (ALLOW) ############################ # Send any UDP packet out via ethernet interface. Have to add two rules here # as the process sending the packet could be bound to either interface: $fwcmd add 12000 pass udp from ${pppip} to any out via ${lanif} $fwcmd add 12100 pass udp from ${lannet}:${lanmask} to any out via ${lanif} # Allow DNS queries $fwcmd add 12200 pass udp from any to any 53 in via ${pppif} $fwcmd add 12300 pass udp from any to ${lanip} 53 # Allow outgoing DNS replies: $fwcmd add 12400 pass udp from ${pppip} 53 to any $fwcmd add 12500 pass udp from ${lanip} 53 to any # Allow NTP queries $fwcmd add 12600 pass udp from any 123 to any $fwcmd add 12700 pass udp from any to any 123 ############################# # Allow ICMP ############################# # Allow ICMP from anywhere.. could leave us vulnerable to ping attacks $fwcmd add 12800 pass icmp from any to any ############################# # GLOBAL ############################# #$fwcmd add 12900 deny log all from any to any via ${pppif} $fwcmd add 13000 pass log tcp from any to any 1024-65534 $fwcmd add 13100 pass log udp from any to any 1024-65534 ############################# # Trusted hosts ############################# $fwcmd add 14000 pass log tcp from ${typhoon} to any setup $fwcmd add 14100 pass tcp from ${flood} to any 119 setup --+QahgC5+KEYLbs62-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990523234514.A26661>