Date: Wed, 28 Mar 2001 11:36:10 +0200 From: "Niekie Myburgh (QData)" <niekie@rcf.co.za> To: "'freebsd-isp@freebsd.org'" <freebsd-isp@freebsd.org> Subject: Dialin server and IPFW Message-ID: <C7F233BFBFFBD211A4370000E220291A1BF419@ntnr2>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0B76A.85BF0A40
Content-Type: text/plain;
charset="iso-8859-1"
I'm busy setting up a dialin server on my network (Like an ISP type setup)
to allow selected users do dial in, and access mail, telnet to other Unix
boxes, ftp to those boxes, etc. Problem is that this dialin box is sitting
directly on my network, and I need to protect the network from possible hack
attempts.
The dialin part works without problems (although my 56K modems only connect
at 33.6 Kb, where on RedHat, I got 52K on the same machine). The problem I
have is this:
[Win95} -> [FreeBSD 4.2]-> [ipfw] -> [other network hosts]
10.0.0.2 10.0.0.1:172.27.xxx.xxx 172.27.xxx.xxx
Start the machine with firewall_enabled="YES" and firewall_type="OPEN", and
all works well. Set firewall_type="CUSTOM", and the following happen:
The modem picks up (Auto-Answer on the modem)
The connection aborts (MS Win 95, in all it's wisdom, tels me that the
remote machine is not answering)
Am I blocking getty & ppp from answering as well(is this possible??)?
Any suggestions welcome.
Niekie Myburgh
Q-Data Consulting
South-Africa
############################################################################
####
####### Firewall for Dialup!!
##################################################
############################################################################
####
[Cc][Uu][Ss][Tt][Oo][Mm])
##### External Interface - Local Network
oif="xl0"
onet="172.27.xxx.0"
omask="255.255.255.0"
oip="172.27.xxx.xxx"
##### Internal Interface - PPP
iif="tun0"
inet="10.0.0.0"
imask="255.255.255.0"
iip="10.0.0.1"
##### DNS Addresses
dns1="172.27.xxx.2"
dns2="172.27.xxx.8"
ntp1=""
#### Stop Spoofing
$fwcmd add 110 deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add 110 deny all from ${onet}:${omask} to any in via ${iif}
#### Stop Private Networks from crossing the Firewall
#$fwcmd add 120 deny log all from 192.168.0.0:255.255.0.0 to any in recv
${oif}
#$fwcmd add 120 deny log all from 172.16.0.0:255.255.0.0 to any in recv
${oif}
#$fwcmd add 120 deny log all from 10.0.0.0:255.0.0.0 to any in recv ${oif}
#### Enable NAT
${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
##### Allow any packet from inside (PPP) to go to outside (network) - NO!
Disable.
##### We will custmise this in the next section!
##### Admin machine access
$fwcmd add 130 pass tcp from 172.27.xxx.251 to 172.27.xxx.253
# Allow any IP packets to pass on the inside interface - NO!
$fwcmd add 140 pass all from any to any via ${iif}
## Allow established TCP from Outside (Network)
#$fwcmd add 150 pass tcp from any to ${iif} in recv ${oif} established
#### The fixed version:
#### Telnet
$fwcmd add 131 pass tcp from ${iif} to hpzn1 23 out xmit ${oif}
$fwcmd add 132 pass tcp from ${iif} to hpnr1 23 out xmit ${oif}
$fwcmd add 133 pass tcp from ${iif} to hpcs1 23 out xmit ${oif}
$fwcmd add 134 pass tcp from ${iif} to hpcs2 23 out xmit ${oif}
$fwcmd add 135 pass tcp from ${iif} to hpwc1 23 out xmit ${oif}
#### FTP
#$fwcmd add 141 pass tcp from ${iif} to hpnr1 21 out xmit ${oif}
#$fwcmd add 142 pass tcp from ${iif} to hpzn1 21 out xmit ${oif}
#$fwcmd add 143 pass tcp from ${iif} to hpcs1 21 out xmit ${oif}
#$fwcmd add 144 pass tcp from ${iif} to hpcs2 21 out xmit ${oif}
#$fwcmd add 145 pass tcp from ${iif} to hpwc1 21 out xmit ${oif}
#### MAIL
#$fwcmd add 151 pass tcp from ${iif} to ntzn2 25 out xmit ${oif}
#$fwcmd add 152 pass tcp from ${iif} to ntnr2 389 out xmit ${oif}
#$fwcmd add 153 pass tcp from ${iif} to ntnr2 110 out xmit ${oif}
#### Others
#$fwcmd add 200 pass tcp from any to ${oip} 25
#$fwcmd add 201 pass tcp from any to ${oip} 23
#$fwcmd add 300 pass log tcp from ${inet} to ${oip} 23 in recv ${oif} setup
#$fwcmd add 301 pass log tcp from ${onet} to ${oip} 23 in recv ${oif} setup
#$fwcmd add 350 pass tcp from any to ${oip} 80,443
##### DNS
$fwcmd add 410 pass udp from ${dns1} 53 to any 1024-65535 in recv ${oif}
$fwcmd add 420 pass udp from ${dns2} 53 to any 1024-65535 in recv ${oif}
$fwcmd add 430 pass tcp from any 53 to ${inet}:${imask}
$fwcmd add 430 pass udp from any 53 to ${inet}:${imask}
##### ICMP
$fwcmd add 1000 pass icmp from any to any via ${iif}
$fwcmd add 1000 pass icmp from any to any via ${oif}
$fwcmd add 1010 pass icmp from any to any in recv ${oif} icmptypes 0
$fwcmd add 1010 pass icmp from any to any out xmit ${oif} icmptypes 8
##### Tracetoute
$fwcmd add 1020 pass icmp from any to any in recv ${oif} icmptypes 3
$fwcmd add 1020 pass icmp from any to any in recv ${oif} icmptypes 11
##### Block the rest
$fwcmd add 65532 deny udp from any to any
$fwcmd add 65533 deny icmp from any to any
$fwcmd add 65534 deny log ip from any to any
;;
------_=_NextPart_001_01C0B76A.85BF0A40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2652.35">
<TITLE>Dialin server and IPFW</TITLE>
</HEAD>
<BODY>
<BR>
<P><FONT SIZE=3D2>I'm busy setting up a dialin server on my network =
(Like an ISP type setup) to allow selected users do dial in, and access =
mail, telnet to other Unix boxes, ftp to those boxes, etc. =
Problem is that this dialin box is sitting directly on my network, and =
I need to protect the network from possible hack attempts.</FONT></P>
<P><FONT SIZE=3D2>The dialin part works without problems (although my =
56K modems only connect at 33.6 Kb, where on RedHat, I got 52K on the =
same machine). The problem I have is this:</FONT></P>
<P><FONT SIZE=3D2>[Win95} -> [FreeBSD 4.2]-> [ipfw] -> [other =
network hosts]</FONT>
<BR><FONT SIZE=3D2>10.0.0.2 =
10.0.0.1:172.27.xxx.xxx 172.27.xxx.xxx</FONT>
</P>
<P><FONT SIZE=3D2>Start the machine with =
firewall_enabled=3D"YES" and =
firewall_type=3D"OPEN", and all works well. Set =
firewall_type=3D"CUSTOM", and the following =
happen:</FONT></P>
<P><FONT SIZE=3D2>The modem picks up (Auto-Answer on the modem)</FONT>
<BR><FONT SIZE=3D2>The connection aborts (MS Win 95, in all it's =
wisdom, tels me that the remote machine is not answering)</FONT>
</P>
<P><FONT SIZE=3D2>Am I blocking getty & ppp from answering as =
well(is this possible??)?</FONT>
</P>
<P><FONT SIZE=3D2>Any suggestions welcome.</FONT>
</P>
<P><FONT SIZE=3D2>Niekie Myburgh</FONT>
<BR><FONT SIZE=3D2>Q-Data Consulting</FONT>
<BR><FONT SIZE=3D2>South-Africa</FONT>
</P>
<BR>
<BR>
<P><FONT =
SIZE=3D2>###############################################################=
#################</FONT>
<BR><FONT SIZE=3D2>####### Firewall for Dialup!! =
##################################################</FONT>
<BR><FONT =
SIZE=3D2>###############################################################=
#################</FONT>
<BR><FONT SIZE=3D2>[Cc][Uu][Ss][Tt][Oo][Mm])</FONT>
</P>
<P><FONT SIZE=3D2>##### External Interface - Local Network</FONT>
<BR><FONT SIZE=3D2>oif=3D"xl0"</FONT>
<BR><FONT SIZE=3D2>onet=3D"172.27.xxx.0"</FONT>
<BR><FONT SIZE=3D2>omask=3D"255.255.255.0"</FONT>
<BR><FONT SIZE=3D2>oip=3D"172.27.xxx.xxx"</FONT>
</P>
<P><FONT SIZE=3D2>##### Internal Interface - PPP</FONT>
<BR><FONT SIZE=3D2>iif=3D"tun0"</FONT>
<BR><FONT SIZE=3D2>inet=3D"10.0.0.0"</FONT>
<BR><FONT SIZE=3D2>imask=3D"255.255.255.0"</FONT>
<BR><FONT SIZE=3D2>iip=3D"10.0.0.1"</FONT>
</P>
<P><FONT SIZE=3D2>##### DNS Addresses</FONT>
<BR><FONT SIZE=3D2>dns1=3D"172.27.xxx.2"</FONT>
<BR><FONT SIZE=3D2>dns2=3D"172.27.xxx.8"</FONT>
<BR><FONT SIZE=3D2>ntp1=3D""</FONT>
</P>
<P><FONT SIZE=3D2>#### Stop Spoofing</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 110 deny all from ${inet}:${imask} to any =
in via ${oif}</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 110 deny all from ${onet}:${omask} to any =
in via ${iif}</FONT>
</P>
<P><FONT SIZE=3D2>#### Stop Private Networks from crossing the =
Firewall</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 120 deny log all from =
192.168.0.0:255.255.0.0 to any in recv ${oif}</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 120 deny log all from =
172.16.0.0:255.255.0.0 to any in recv ${oif}</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 120 deny log all from 10.0.0.0:255.0.0.0 =
to any in recv ${oif}</FONT>
</P>
<P><FONT SIZE=3D2>#### Enable NAT</FONT>
<BR><FONT SIZE=3D2>${fwcmd} add 50 divert natd all from any to any via =
${natd_interface}</FONT>
<BR><FONT SIZE=3D2> </FONT>
</P>
<P><FONT SIZE=3D2>##### Allow any packet from inside (PPP) to go to =
outside (network) - NO! Disable. </FONT>
<BR><FONT SIZE=3D2>##### We will custmise this in the next section!</FON=
T>
<BR><FONT SIZE=3D2>##### Admin machine access</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 130 pass tcp from 172.27.xxx.251 to =
172.27.xxx.253</FONT>
<BR><FONT SIZE=3D2># Allow any IP packets to pass on the inside =
interface - NO!</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 140 pass all from any to any via =
${iif}</FONT>
<BR><FONT SIZE=3D2>## Allow established TCP from Outside =
(Network)</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 150 pass tcp from any to ${iif} in recv =
${oif} established</FONT>
</P>
<P><FONT SIZE=3D2>#### The fixed version:</FONT>
<BR><FONT SIZE=3D2>#### Telnet</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 131 pass tcp from ${iif} to hpzn1 23 out =
xmit ${oif}</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 132 pass tcp from ${iif} to hpnr1 23 out =
xmit ${oif}</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 133 pass tcp from ${iif} to hpcs1 23 out =
xmit ${oif}</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 134 pass tcp from ${iif} to hpcs2 23 out =
xmit ${oif}</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 135 pass tcp from ${iif} to hpwc1 23 out =
xmit ${oif}</FONT>
<BR><FONT SIZE=3D2>#### FTP</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 141 pass tcp from ${iif} to hpnr1 21 out =
xmit ${oif} </FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 142 pass tcp from ${iif} to hpzn1 21 out =
xmit ${oif}</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 143 pass tcp from ${iif} to hpcs1 21 out =
xmit ${oif}</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 144 pass tcp from ${iif} to hpcs2 21 out =
xmit ${oif}</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 145 pass tcp from ${iif} to hpwc1 21 out =
xmit ${oif}</FONT>
<BR><FONT SIZE=3D2>#### MAIL</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 151 pass tcp from ${iif} to ntzn2 =
25 out xmit ${oif} </FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 152 pass tcp from ${iif} to ntnr2 =
389 out xmit ${oif}</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 153 pass tcp from ${iif} to ntnr2 =
110 out xmit ${oif}</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>#### Others </FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 200 pass tcp from any to ${oip} =
25</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 201 pass tcp from any to ${oip} =
23</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 300 pass log tcp from ${inet} to ${oip} =
23 in recv ${oif} setup</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 301 pass log tcp from ${onet} to ${oip} =
23 in recv ${oif} setup</FONT>
<BR><FONT SIZE=3D2>#$fwcmd add 350 pass tcp from any to ${oip} =
80,443</FONT>
</P>
<P><FONT SIZE=3D2>##### DNS</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 410 pass udp from ${dns1} 53 to any =
1024-65535 in recv ${oif}</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 420 pass udp from ${dns2} 53 to any =
1024-65535 in recv ${oif}</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 430 pass tcp from any 53 to =
${inet}:${imask}</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 430 pass udp from any 53 to =
${inet}:${imask}</FONT>
</P>
<P><FONT SIZE=3D2>##### ICMP</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 1000 pass icmp from any to any via =
${iif}</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 1000 pass icmp from any to any via =
${oif}</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 1010 pass icmp from any to any in recv =
${oif} icmptypes 0</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 1010 pass icmp from any to any out xmit =
${oif} icmptypes 8</FONT>
</P>
<P><FONT SIZE=3D2>##### Tracetoute</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 1020 pass icmp from any to any in recv =
${oif} icmptypes 3</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 1020 pass icmp from any to any in recv =
${oif} icmptypes 11</FONT>
</P>
<P><FONT SIZE=3D2>##### Block the rest</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 65532 deny udp from any to any</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 65533 deny icmp from any to any</FONT>
<BR><FONT SIZE=3D2>$fwcmd add 65534 deny log ip from any to any</FONT>
<BR><FONT SIZE=3D2>;;</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C0B76A.85BF0A40--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C7F233BFBFFBD211A4370000E220291A1BF419>