From owner-freebsd-ipfw Mon Jan 8 12:36:30 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id E30CD37B85E for ; Mon, 8 Jan 2001 12:07:36 -0800 (PST) Received: from wkst ([209.16.228.146]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id PAA15928; Mon, 8 Jan 2001 15:13:03 -0500 Reply-To: From: "Peter Brezny" To: "'blaz'" Cc: Subject: RE: firewall/nat problems Date: Mon, 8 Jan 2001 15:06:41 -0800 Message-ID: <003301c079c7$aa486d60$46010a0a@sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 In-Reply-To: <3A57FDDE.6B2D24C3@satx.rr.com> Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Your onwr= should be equal to the network range provided by your isp. it should look very similar to your inwr= line which you have correctly specified. if you only have one ip (for instance a cable modem) just put in the ip and leave off the '/24' etc, or put in '/30' That should do it. Also, You don't need the ntp server line. since your system will be initiating the request to the time server, a keep-state rule will be created for this connection in the second line about the default deny rule in your ruleset (this is an error in the script that I published, sorry about that, i'll make a note of it today). Leaving your allow rule in for the time server will actually cause problems, since your system will try to resolve the name before the firewall has reached the lines that allow such requests. I hope this helps. Peter Brezny SysAdmin Services Inc. -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of blaz Sent: Saturday, January 06, 2001 9:26 PM To: freebsd-ipfw@FreeBSD.ORG Subject: firewall/nat problems greetings, I added the following to my kernel and rebuilt: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT then I added to /etc/rc.conf: gateway_enable="YES" firewall_enable="YES" natd_enable="YES" natd_interface="xl0" # my NIC connected to cable modem natd_flags="-dynamic" firewall_script="/etc/rc.firewall.new" then to my rc.firewall.new script is where I am getting confused.. not with the rules, but the variables I need to supply: #Define your variables # fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="oifx" #set to outside interface name onwr="a.b.c.d/24" #set to outside network range oip="a.b.c.d" #set to outside ip address iif="ifx" #set to internal interface name inwr="x.y.z.x/24" #set to internal network range iip="x.y.z.x" #set to internal ip address ns1="e.f.g.h" #set to primary name server best if = oif #ntp="i.j.k.l" #set to ip of NTP server or leave as is below is what I supplied, and when I type to ping to local network I get TCP/IP denied.. its blocking the packets and I don't think its the rules, but the interface information. I will supply the rules at the end, in case it is -- I am going by an article I read on bsdtoday.com.. anyway here is what I supplied: fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="xl0" #set to outside interface name onwr="255.255.255.0" #set to outside network range I am not sure about this.. oip="my ip" #set to outside ip address I use DHCP, but supplied current IP this has to be wrong iif="xl1" #set to internal interface name inwr="192.168.2/24" #set to internal network range iip="192.168.2.1" #set to internal ip address ns1="my name server" #set to primary name server best if = oif ntp="clock.isc.org" #set to ip of NTP server or leave as is I know I must have this screwerd up :) but here my rules in case its not: # Rules with descriptions # # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via $oif $fwcmd add deny all from 169.254.0.0/16 to any in via $oif $fwcmd add deny all from 192.0.2.0/24 to any in via $oif $fwcmd add deny all from 224.0.0.0/4 to any in via $oif $fwcmd add deny all from 240.0.0.0/4 to any in via $oif $fwcmd add deny all from any to 0.0.0.0/8 in via $oif $fwcmd add deny all from any to 169.254.0.0/16 in via $oif $fwcmd add deny all from any to 192.0.2.0/24 in via $oif $fwcmd add deny all from any to 224.0.0.0/4 in via $oif $fwcmd add deny all from any to 240.0.0.0/4 in via $oif # # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established # # Allow incomming requests to reach the following services: # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup $fwcmd add allow tcp from any to $oip 22 setup # # NOTE: you may have to change your client to passive or active mode # to get ftp to work once enabled, only ssh enabled by default. # 21:ftp # 22:ssh enabled by default # 23:telnet # 25:smtp # 110:pop # 143:imap # 80:http # 443:ssl # # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. # $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). $fwcmd add allow udp from any 53 to $ns1 53 # # Allow time update traffic # $fwcmd add allow udp from $ntp 123 to $oip 123 # # Checks packets against dynamic rule set below. $fwcmd add check-state # # Allow any traffic from firewall ip to any going out the # external interface $fwcmd add allow ip from $oip to any keep-state out via $oif # # Allow any traffic from local network to any passing through the # internal interface $fwcmd add allow ip from $inwr to any keep-state via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 10 23:27:47 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from xela.oopz.com (xela.oopz.com [209.20.244.131]) by hub.freebsd.org (Postfix) with ESMTP id 7873237B401 for ; Wed, 10 Jan 2001 23:27:30 -0800 (PST) Subject: logging Date: Wed, 10 Jan 2001 23:27:29 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: logging X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0 content-class: urn:content-classes:message Thread-Index: AcB7n/SEZlXgyItOQRGQhWopkVIsOQ== From: "Noah Davidson" To: "FreeBSD-IPFW list (E-mail)" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am trying to upgrade from FreeBSD 3.4 to FreeBSD 4-2. Basically all I have going here is a single rule. /sbin/ipfw add 500 allow log all from any to any This should log every packet as it goes through the box. but in only logs certain packets. When I kill syslogd it seams to log every packet as I would expect, but since syslogd is no longer running in just logs to the console and no where else. When I manually start syslogd the logging stops again. How can I get ipfw to work and log packets. Thanks Noah Davidson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jan 13 5:27:28 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id 7EF8B37B400; Sat, 13 Jan 2001 05:27:00 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id FAA16944; Sat, 13 Jan 2001 05:26:49 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200101131326.FAA16944@spammie.svbug.com> Date: Sat, 13 Jan 2001 05:26:45 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Fwd: dialup firewall with FreeBSD To: questions@freebsd.org Cc: ipfw@freebsd.org, buckland@btl.net MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Your question forwarded to questions@freebsd.org and ipfw@freebsd.org They can help you better than doc@freebsd.org ------ Forwarded message ------ From: "Robert M. Buckland" Subject: dialup firewall with FreeBSD Date: Wed, 10 Jan 2001 16:27:36 -0600 To: doc@FreeBSD.ORG Hello, I once asked for help in a dialup firewall solution that I implemented for our network and I got help - I hope someone out there can help again. I have gotten all the machines on our internal network to get out but I need to route some traffic back in. I have been able to get the internal network out on the net using pppd and natd and kernel mode ipfw is enabled. However I have been having trouble with getting some traffic in. Basically while the internal machines can get out with no problems I need some traffic to come in. I need web requests that are sent to to port 80 of the firewall machine be redirected to a webserver on the internal network. I also need mail coming in for the network to be redirected to that same server on the internal network. Let me detail the current setup: I have currently set the firewall type to "open" in rc.conf. I figured that I should not try to use rules until I get the service properly established between the internal and external networks. Hence I commented out the firewall rules file and set it to open in rc.conf as follows: >firewall_enable="YES" >firewall_type="open" >#firewall_type="/etc/firewall/fwrules" I have tried to use natd with the -redirect_port option but I have trouble with it. The system seems to work fine when I set the natd startup to -dynamic but when I try to call the natd.conf file it doesn't work and I not get out. hence I also have that commented out in rc.conf as follows: >natd_enable="YES" >natd_interface="ppp0" >natd_flags="-dynamic" >#natd_flags="-f /etc/natd.conf" My natd.conf file that I was trying to call looks like this: >interface ppp0 >use_sockets yes >same_ports yes >redirect_port tcp 89.0.0.14:80 80 >redirect_port udp 89.0.0.14:80 80 >redirect_port tcp 89.0.0.14:110 110 >redirect_port udp 89.0.0.14:110 110 89.0.0.14 is the server on the other end of the crossover cable (the DMZ) that has web and mail services running. That machine is an NT fileserver that has a webserver (IIS) and a mail server that supports POP, IMAP and HTTP access. The mailserver's web component runs on 8383 but I am hoping that I can do a redirect on that server from port 80. If not I will need to also explicitly place the redirect on the FreeBSD box. Also, I have not started using my firewall rules. Should I use this instead of natd and redirects? Which is the best way to do this? I do have a firewall rules file set up as below: >#Define the firewall command for easy reference >fwcmd="/sbin/ipfw" > >#Flush the rules before reloading >$fwcmd -f flush > >#Divert all packets through the tunnel interface >$fwcmd add divert natd all from any to any via ppp0 > >#Allow all data from nic and localhost >$fwcmd add allow ip from any to any via lo0 >$fwcmd add allow ip from any to any via de0 > >#Allow all connections initiated from Sentinel >$fwcmd add allow tcp from any to any out xmit ppp0 setup > >#Allow established connections to stay open >$fwcmd add allow tcp from any to any via ppp0 established > >#Allow Internet connections to specific services >$fwcmd add allow tcp from any to any 80 setup >$fwcmd add allow tcp from any to any 21 setup >$fwcmd add allow tcp from any to any 22 setup >$fwcmd add allow tcp from any to any 23 setup > >#Reset all ident packets >$fwcmd add reset log tcp from any to any 113 in recv ppp0 > >#Allow outgoing DNS queries to specific DNS servers >$fwcmd add allow udp from any to x.x.x.x 53 out xmit ppp0 >$fwcmd add allow udp from any to x.x.x.x 53 out xmit ppp0 >$fwcmd add allow upp from any to 89.0.0.14 out xmit de0 > >#Allow ICMP (for ping and traceroute to work for testing) >#Remember to disallow this when no longer needed >$fwcmd add 65435 allow icmp from any to any > >#Deny all the rest >$fwcmd add 65435 deny log ip from any to any This firewall rules set is based on the one I got from your tutorial but it doesn't seem to work when I call it. This is the result when I type "ifconfig -a" >de0: flags=8843 mtu 1500 > inet 89.0.0.10 netmask 0xfffffff0 broadcast 89.0.0.15 > inet6 fe80::200:c0ff:fe70:dbe6%de0 prefixlen 64 scopeid 0x1 > ether 00:00:c0:70:db:e6 > media: autoselect (10baseT/UTP) status: active > supported media: autoselect 10base5/AUI 10base2/BNC 10baseT/UTP > 10baseT/UTP >lp0: flags=8810 mtu 1500 >sl0: flags=c010 mtu 552 >ppp0: flags=8051 mtu 1500 > inet x.x.x.101 --> x.x.x.98 netmask 0xffffff00 >lo0: flags=8049 mtu 16384 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 >gif0: flags=8010 mtu 1280 >gif1: flags=8010 mtu 1280 >gif2: flags=8010 mtu 1280 >gif3: flags=8010 mtu 1280 >faith0: flags=8000 mtu 1500 Note that I have replaced the public IP with "x" for security reasons since I am sending this via plain text. I am willing to trust someone with more details such as actual IPs but I would send that information via PGP. Also note that I am using 89.0.0.0/16 as a Private Block. I always thought that Internic had also assigned 89.* as a class A private IP block. It was pointed out to me that this is incorrect so I will change the crossover link to 172. However I don't think that has anything to do with my current dilemma. I do hope someone can help since I convinced my manager that the FreeBSD solution I implemented is a good solution and more robust that plugging in his NT servers directly. I need to have him see his website and get mail in and he'll be happy. Mail can be sent out from the domain but of course it can't be received as yet. Robert Buckland -------------------------------------------------------------------------- ORIGINAL MESSAGE -------------------------------------------------------------------------- I'm hoping someone out there can help... I've set up a FreeBSD 4.1 machine to act as a firewall routing packets between my internal and external network. I followed your dialup firewall tutorial and recompiled my kernel as you suggested, adding the IPFILTER and IPDIVERT options. I then added the firewall and natd options to my rc.conf file. Upon boot the ipfirewall options and divert are enabled however natd reports that it cannot find the tun0 interface - that it is not a valid interface. I do have the -dynamic tag but pppd does not start until much later - I have it in rc.d as "000pppd.sh" but even though it is the first to start there this still occurs after natd has initialized. I have tried userppp which I can get to use nat but I can't get it to autostart as smoothly as pppd - furthermore I also would prefer to use the kernel based firewall as this system will protect a fairly high profile company. Is there anything I have missed? I noticed in the man pages for natd they mentioned that it is not for dialup options. A bit about my network setup: My connection is also a bit strange - rather than a dialup the connection is a dedicated leased line connection between two analog modems - I'm down here in Belize and this is the best they could offer me. The modems are set to originate and answer respectively I simply need to send an ATZ command to our modem to reestablish the link. The IPs are also static. I have this working nicely with pppd - the chat script simply sends a reset to the modem and pppd is set to persist. I then have a crossover cable (as a perimeter network) to an internal server. That internal server will house the company's mailserver and webserver. I planned to have the FreeBSD box route packets from the outside to the web and mail server on the internal network and route all Internet based traffic from the internal network. It seemed to me like natd and ipfw were the ideal solution. Is there anything I am doing wrong? Something I have missed? Or somewhere you could point me? I'll appreciate any help you can offer. Sincerely Robert Buckland To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jan 13 23:20:34 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id D417537B401 for ; Sat, 13 Jan 2001 23:20:15 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id XAA00629; Sat, 13 Jan 2001 23:20:10 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200101140720.XAA00629@spammie.svbug.com> Date: Sat, 13 Jan 2001 23:20:06 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: logging To: Noah@oopz.com Cc: freebsd-ipfw@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 10 Jan, Noah Davidson wrote: > I am trying to upgrade from FreeBSD 3.4 to FreeBSD 4-2. Basically all I > have going here is a single rule. > > /sbin/ipfw add 500 allow log all from any to any > > This should log every packet as it goes through the box. but in only > logs certain packets. When I kill syslogd it seams to log every packet > as I would expect, but since syslogd is no longer running in just logs > to the console and no where else. When I manually start syslogd the > logging stops again. How can I get ipfw to work and log packets. > Let's go through the steps: 1) does /var/log/ipfw.log exist 2) did you add enter to /etc/syslog.conf 3) did you place compile your kernel with the following: options IPFIREWALL_VERBOSE #print information about # dropped packets options IPFIREWALL_FORWARD #enable transparent proxy support options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default 4) specifically did you set IPFIREWALL_VERBOSE_LIMIT Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message