Date: Sun, 23 May 1999 23:45:15 -0500 From: Michael Maxwell <drwho@xnet.com> To: freebsd-questions@freebsd.org Subject: ipfw/nat/network question Message-ID: <19990523234514.A26661@atlas.topquark.org>
next in thread | raw e-mail | index | archive | help
--+QahgC5+KEYLbs62
Content-Type: text/plain; charset=us-ascii
I have attached a copy of my /etc/rc.firewall. I would like any advice
I can get on how to proceed with this....
I need to get machines on my local network (192.168.16.0) to talk to the
'net through the FreeBSD machine (192.168.16.1, inside). I'm simply stuck
on this one... I don't know how to get natd working properly with this;
if I enabled natd on here, it blocks connections to/from my LAN, etc...
I'm sure it's something small that I'm forgetting or missing here, so if
anyone could help me out on this, I'd be grateful.
BTW: Please send your responses to "drwho@xnet.com" -- I'm not currently
subscribed to the list....
Thanks.
--
Michael Maxwell <drwho @ xnet.com> | http://www.xnet.com/~drwho/
-- Stop the illegal attacks on Serbia NOW! --
--+QahgC5+KEYLbs62
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="rc.firewall"
# rc.firewall 5/19/1999
# Set quiet mode if requested
if [ "x$firewall_quiet" = "xYES" ]; then
fwcmd="/sbin/ipfw -q"
else
fwcmd="/sbin/ipfw"
fi
# Flush list
$fwcmd -f flush
# Don't change these two:
$fwcmd add 1000 pass all from any to any via lo0
$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8
# Outside network interface:
pppif="ppp0"
pppnet="205.243.140.0"
pppmask="255.255.255.128" # ?
pppip="205.243.140.183"
# Internal network interface:
lanif="xl0"
lannet="192.168.16.0"
lanmask="255.255.255.0"
lanip="192.168.16.1"
# Local gateway:
langw="192.168.16.1"
# ISP's gateway:
pppgw="198.147.221.1"
# Info for "trusted" machines on outside networks:
typhoon="198.147.221.70"
flood="198.147.221.37"
ns1="198.147.221.34"
ns2="198.147.221.35"
# Natd-specific stuff:
# What to do with local machines who want out?
$fwcmd add divert natd all from ${lannet}:${lanmask} to ${pppip} via ${lanif}
# Prevent address spoofing:
$fwcmd add 10000 deny log all from ${lannet}:${lanmask} to any in via ${pppif}
$fwcmd add 10100 deny log all from ${pppip} to any in via ${lanif}
# Stop RFC 1918 nets on outside interface:
$fwcmd add 10200 deny log all from 192.168.0.0:255.255.0.0 to any via ${pppif}
$fwcmd add 10300 deny log all from 172.16.0.0:255.240.0.0 to any via ${pppif}
$fwcmd add 10400 deny log all from 10.0.0.0:255.0.0.0 to any via ${pppif}
###########################
# TCP-specific rules
###########################
# Allow TCP through if setup succeeded:
$fwcmd add 10500 pass tcp from any to any established
# Allow anything out from our own network (should we divert)?:
$fwcmd add 10600 pass tcp from ${lannet}:${lanmask} to any out via ${pppif}
# Allow all ssh connections:
$fwcmd add 10700 pass log tcp from any to any 22 setup
# Allow setup of incoming mail:
$fwcmd add 10800 pass tcp from any to any 25 setup
$fwcmd add 10850 pass tcp from any to any 110 setup # POP3
# Allow only local access to NNTP server. Also put a line in here for flood.
$fwcmd add 10900 pass tcp from ${lannet}:${lanmask} to ${lanip} 119 setup
# Allow internal machines to access outside NNTP servers:
$fwcmd add 11000 pass tcp from ${lannet}:${lanmask} to any 119 setup
# Allow our machines access to control and data ftp server ports outside:
$fwcmd add 11100 pass tcp from ${lannet}:${lanmask} to any 20 setup
$fwcmd add 11200 pass tcp from ${lannet}:${lanmask} to any 21 setup
# Allow only LOCAL machines to access our web servers(or other web servers):
$fwcmd add 11300 pass tcp from ${lannet}:${lanmask} to any 80 setup
# Work with squid cache (don't have this setup yet):
# $fwcmd add 11400 pass tcp from ${pppip} to any 8080 via ${pppif} setup
# Allow squid to talk to anything:
# $fwcmd add 11500 pass tcp from ${pppip} to any via ${pppif} setup
# Allow local machines to talk to squid:
# $fwcmd add 11600 pass tcp from ${lannet}:${lanmask} to ${lanip} 8000 via ${lanif} setup
# Allow DNS zone transfers:
$fwcmd add 11700 pass tcp from any to ${lanip} 53 setup
$fwcmd add 11710 pass tcp from any to ${pppip} 53 setup
# Generally allow all local machines access to the outside world:
# DOES NOT WORK...
$fwcmd add 11800 pass tcp from ${lannet}:${lanmask} to any out via ${pppif} setup
# Reject and log setup of all other connections from outside:
$fwcmd add 11900 deny log tcp from any to any in via ${pppif} setup
############################
# UDP Specific (DENY)
############################
############################
# UDP Specicic (ALLOW)
############################
# Send any UDP packet out via ethernet interface. Have to add two rules here
# as the process sending the packet could be bound to either interface:
$fwcmd add 12000 pass udp from ${pppip} to any out via ${lanif}
$fwcmd add 12100 pass udp from ${lannet}:${lanmask} to any out via ${lanif}
# Allow DNS queries
$fwcmd add 12200 pass udp from any to any 53 in via ${pppif}
$fwcmd add 12300 pass udp from any to ${lanip} 53
# Allow outgoing DNS replies:
$fwcmd add 12400 pass udp from ${pppip} 53 to any
$fwcmd add 12500 pass udp from ${lanip} 53 to any
# Allow NTP queries
$fwcmd add 12600 pass udp from any 123 to any
$fwcmd add 12700 pass udp from any to any 123
#############################
# Allow ICMP
#############################
# Allow ICMP from anywhere.. could leave us vulnerable to ping attacks
$fwcmd add 12800 pass icmp from any to any
#############################
# GLOBAL
#############################
#$fwcmd add 12900 deny log all from any to any via ${pppif}
$fwcmd add 13000 pass log tcp from any to any 1024-65534
$fwcmd add 13100 pass log udp from any to any 1024-65534
#############################
# Trusted hosts
#############################
$fwcmd add 14000 pass log tcp from ${typhoon} to any setup
$fwcmd add 14100 pass tcp from ${flood} to any 119 setup
--+QahgC5+KEYLbs62--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990523234514.A26661>