Site Navigation

Date:      Mon, 8 Jan 2001 15:06:41 -0800
From:      "Peter Brezny" <peter@sysadmin-inc.com>
To:        "'blaz'" <blaz@satx.rr.com>
Cc:        <freebsd-ipfw@freebsd.org>
Subject:   RE: firewall/nat problems
Message-ID:  <003301c079c7$aa486d60$46010a0a@sysadmininc.com>
In-Reply-To: <3A57FDDE.6B2D24C3@satx.rr.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Your onwr=
should be equal to the network range provided by your isp.  it should look
very similar to your inwr= line which you have correctly specified.

if you only have one ip (for instance a cable modem) just put in the ip and
leave off the '/24' etc, or put in '/30'

That should do it.

Also,

You don't need the ntp server line.  since your system will be initiating
the request to the time server, a keep-state rule will be created for this
connection in the second line about the default deny rule in your ruleset
(this is an error in the script that I published, sorry about that, i'll
make a note of it today).  Leaving your allow rule in for the time server
will actually cause problems, since your system will try to resolve the name
before the firewall has reached the lines that allow such requests.

I hope this helps.

Peter Brezny
SysAdmin Services Inc.


-----Original Message-----
From: owner-freebsd-ipfw@FreeBSD.ORG
[mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of blaz
Sent: Saturday, January 06, 2001 9:26 PM
To: freebsd-ipfw@FreeBSD.ORG
Subject: firewall/nat problems


greetings,

I added the following to my kernel and rebuilt:

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT


then I added to /etc/rc.conf:

gateway_enable="YES"
firewall_enable="YES"
natd_enable="YES"
natd_interface="xl0"          # my NIC connected to cable modem
natd_flags="-dynamic"
firewall_script="/etc/rc.firewall.new"


then to my rc.firewall.new script is where I am getting
confused.. not with the rules, but the variables I need
to supply:

#Define your variables
#
fwcmd="/sbin/ipfw"      #leave as is if using ipfw
oif="oifx"                    #set to outside interface name
onwr="a.b.c.d/24"       #set to outside network range
oip="a.b.c.d"              #set to outside ip address

iif="ifx"                     #set to internal interface name
inwr="x.y.z.x/24"        #set to internal network range
iip="x.y.z.x"               #set to internal ip address
ns1="e.f.g.h"              #set to primary name server best if = oif
#ntp="i.j.k.l"               #set to ip of NTP server or leave as is

below is what I supplied, and when I type to ping
to local network I get TCP/IP denied..  its blocking the packets
and I don't think its the rules, but the interface information.

I will supply the rules at the end, in case it is -- I am going
by an article I read on bsdtoday.com..  anyway here is what
I supplied:


fwcmd="/sbin/ipfw"      #leave as is if using ipfw
oif="xl0"                    #set to outside interface name
onwr="255.255.255.0" #set to outside network range
                                  I am not sure about this..

oip="my ip"               #set to outside ip address
                               I use DHCP, but supplied current IP
                               this has to be wrong


iif="xl1"                         #set to internal interface name
inwr="192.168.2/24"        #set to internal network range
iip="192.168.2.1"             #set to internal ip address
ns1="my name server"     #set to primary name server best if = oif
ntp="clock.isc.org"          #set to ip of NTP server or leave as is


I know I must have this screwerd up :)  but here my rules in
case its not:


# Rules with descriptions
#
#
#       Force a flush of the current firewall rules before we reload
        $fwcmd -f flush
#
#       Allow your loop back to work
        $fwcmd add allow all from any to any via lo0
#
#       Prevent spoofing of your loopback
        $fwcmd add deny log all from any to 127.0.0.0/8
#
#       Stop spoofing of your internal network range
        $fwcmd add deny log ip from $inwr to any in via $oif
#
#       Stop spoofing from inside your private ip range
        $fwcmd add deny log ip from not $inwr to any in via $iif
#
#       Stop private networks (RFC1918) from entering the outside
interface.
        $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
        $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
        $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
        $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
        $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
        $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif
#
#       Stop draft-manning-dsua-01.txt nets on the outside interface
        $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
        $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
        $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
        $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
        $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
        $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
        $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
        $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
        $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
        $fwcmd add deny all from any to 240.0.0.0/4 in via $oif
#
#       Divert all packets through natd
        $fwcmd add divert natd all from any to any via $oif
#
#       Allow all established connections to persist (setup required
#       for new connections).
        $fwcmd add allow tcp from any to any established
#
#       Allow incomming requests to reach the following services:
#       To allow multiple services you may list them separated
#       by a coma, for example ...to $oip 22,25,110,80 setup
        $fwcmd add allow tcp from any to $oip 22 setup
#
#       NOTE: you may have to change your client to passive or active
mode
#               to get ftp to work once enabled, only ssh enabled by
default.
#       21:ftp
#       22:ssh          enabled by default
#       23:telnet
#       25:smtp
#       110:pop
#       143:imap
#       80:http
#       443:ssl
#
#       Allow icmp packets for diagnostic purposes (ping traceroute)
#       you may wish to leave commented out.
#       $fwcmd add allow icmp from any to any
#
#       Allow required ICMP
        $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
#
#       Allow DNS traffic from internet to query your DNS (for reverse
#       lookups etc).
        $fwcmd add allow udp from any 53 to $ns1 53
#
#       Allow time update traffic
#       $fwcmd add allow udp from $ntp 123 to $oip 123
#
#       Checks packets against dynamic rule set below.
        $fwcmd add check-state
#
#       Allow any traffic from firewall ip to any going out the
#       external interface
        $fwcmd add allow ip from $oip to any keep-state out via $oif
#
#       Allow any traffic from local network to any passing through the
#       internal interface
        $fwcmd add allow ip from $inwr to any keep-state via $iif
#
#       Deny everything else
        $fwcmd add 65435 deny log ip from any to any
#
#####################################################
#
# End firewall script.





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003301c079c7$aa486d60$46010a0a>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact