Date: Mon, 8 Jan 2001 15:06:41 -0800 From: "Peter Brezny" <peter@sysadmin-inc.com> To: "'blaz'" <blaz@satx.rr.com> Cc: <freebsd-ipfw@freebsd.org> Subject: RE: firewall/nat problems Message-ID: <003301c079c7$aa486d60$46010a0a@sysadmininc.com> In-Reply-To: <3A57FDDE.6B2D24C3@satx.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Your onwr= should be equal to the network range provided by your isp. it should look very similar to your inwr= line which you have correctly specified. if you only have one ip (for instance a cable modem) just put in the ip and leave off the '/24' etc, or put in '/30' That should do it. Also, You don't need the ntp server line. since your system will be initiating the request to the time server, a keep-state rule will be created for this connection in the second line about the default deny rule in your ruleset (this is an error in the script that I published, sorry about that, i'll make a note of it today). Leaving your allow rule in for the time server will actually cause problems, since your system will try to resolve the name before the firewall has reached the lines that allow such requests. I hope this helps. Peter Brezny SysAdmin Services Inc. -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of blaz Sent: Saturday, January 06, 2001 9:26 PM To: freebsd-ipfw@FreeBSD.ORG Subject: firewall/nat problems greetings, I added the following to my kernel and rebuilt: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT then I added to /etc/rc.conf: gateway_enable="YES" firewall_enable="YES" natd_enable="YES" natd_interface="xl0" # my NIC connected to cable modem natd_flags="-dynamic" firewall_script="/etc/rc.firewall.new" then to my rc.firewall.new script is where I am getting confused.. not with the rules, but the variables I need to supply: #Define your variables # fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="oifx" #set to outside interface name onwr="a.b.c.d/24" #set to outside network range oip="a.b.c.d" #set to outside ip address iif="ifx" #set to internal interface name inwr="x.y.z.x/24" #set to internal network range iip="x.y.z.x" #set to internal ip address ns1="e.f.g.h" #set to primary name server best if = oif #ntp="i.j.k.l" #set to ip of NTP server or leave as is below is what I supplied, and when I type to ping to local network I get TCP/IP denied.. its blocking the packets and I don't think its the rules, but the interface information. I will supply the rules at the end, in case it is -- I am going by an article I read on bsdtoday.com.. anyway here is what I supplied: fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="xl0" #set to outside interface name onwr="255.255.255.0" #set to outside network range I am not sure about this.. oip="my ip" #set to outside ip address I use DHCP, but supplied current IP this has to be wrong iif="xl1" #set to internal interface name inwr="192.168.2/24" #set to internal network range iip="192.168.2.1" #set to internal ip address ns1="my name server" #set to primary name server best if = oif ntp="clock.isc.org" #set to ip of NTP server or leave as is I know I must have this screwerd up :) but here my rules in case its not: # Rules with descriptions # # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via $oif $fwcmd add deny all from 169.254.0.0/16 to any in via $oif $fwcmd add deny all from 192.0.2.0/24 to any in via $oif $fwcmd add deny all from 224.0.0.0/4 to any in via $oif $fwcmd add deny all from 240.0.0.0/4 to any in via $oif $fwcmd add deny all from any to 0.0.0.0/8 in via $oif $fwcmd add deny all from any to 169.254.0.0/16 in via $oif $fwcmd add deny all from any to 192.0.2.0/24 in via $oif $fwcmd add deny all from any to 224.0.0.0/4 in via $oif $fwcmd add deny all from any to 240.0.0.0/4 in via $oif # # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established # # Allow incomming requests to reach the following services: # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup $fwcmd add allow tcp from any to $oip 22 setup # # NOTE: you may have to change your client to passive or active mode # to get ftp to work once enabled, only ssh enabled by default. # 21:ftp # 22:ssh enabled by default # 23:telnet # 25:smtp # 110:pop # 143:imap # 80:http # 443:ssl # # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. # $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). $fwcmd add allow udp from any 53 to $ns1 53 # # Allow time update traffic # $fwcmd add allow udp from $ntp 123 to $oip 123 # # Checks packets against dynamic rule set below. $fwcmd add check-state # # Allow any traffic from firewall ip to any going out the # external interface $fwcmd add allow ip from $oip to any keep-state out via $oif # # Allow any traffic from local network to any passing through the # internal interface $fwcmd add allow ip from $inwr to any keep-state via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003301c079c7$aa486d60$46010a0a>