Date: Wed, 1 Mar 2000 11:23:51 -0500 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: Yves Berthiaume <yves@radicaux-libres.qc.ca> Cc: cjclark@home.com, Bhishan Hemrajani <bhishan@cytosine.dhs.org>, freebsd-questions@FreeBSD.ORG Subject: Re: Problem with IP aliasing Message-ID: <20000301112351.A37590@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <v02130501b4e2e4d20327@[192.168.0.3]>; from yves@radicaux-libres.qc.ca on Wed, Mar 01, 2000 at 10:41:04AM -0500 References: <v02130501b4e2e4d20327@[192.168.0.3]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 01, 2000 at 10:41:04AM -0500, Yves Berthiaume wrote:
> At 12:26 AM 3/1/00, Crist J. Clark wrote:
>
> >> Also, you should be starting natd like this:
> >> natd -n xl1
> >
> >If he is using the stock rc.firewall, he is fine if he has,
> >
> > natd_enable="YES"
> > natd_interface="xl1"
> >
> >Set in his rc.conf.
>
> Here's my rc.conf file
>
> # -- sysinstall generated deltas -- #
> ifconfig_xl0="inet 192.168.1.1 netmask 255.255.255.0"
> ifconfig_xl1="inet 207.236.242.12 netmask 255.255.255.240"
> ifconfig_xl1_alias0="inet 207.236.242.5 netmask 0xffffffff0"
^^^^^^^^^^^
Still needs to be fixed. Should be 0xffffffff or 255.255.255.255.
[snip]
The rest looked fine.
> Here's my rc.firewall file. Take note that I'm taking over somebody else's
> job and He made some very strange setting especially the UDP section... And
> most of it is undocumented.
OK, I am not going to go in depth about some of the odd rules below,
but what you are definately missing that is usually in rc.firewall is
the divert rule needed to make natd work. It ususally looks something
like,
############
# These rules are required for using natd. All packets are passed to
# natd before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd,
# minus any divert rules (see natd(8)).
if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
$fwcmd add 201 divert natd all from any to any via ${natd_interface}
fi
Is that acually done somewhere else in your setup? If not, natd should
not work at all from boot up.
> Also I'm not using named or ntp on this server... So far it has'nt been a
> problem.
>
> ############
> # This is a prototype setup for a simple firewall. Configure this machine
> # as a named server and ntp server, and point all the machines on the insi$
> # at this machine for those services.
> ############
>
> # set these to your outside interface network and netmask and ip
> oif="xl1"
> onet="207.236.242.0"
> omask="255.255.255.240"
> oip="207.236.242.12"
>
> # set these to your inside interface network and netmask and ip
> iif="xl0"
> inet="192.168.1.0"
> imask="255.255.255.0"
> iip="192.168.1.1"
>
> # Deactivate firewall and let all traffic through for internal interface
> $fwcmd add pass all from any to any in via ${iif}
>
> # Allow all internal traffic
>
> $fwcmd add pass all from ${inet}:${imask} to any
> $fwcmd add pass all from any to ${inet}:${imask}
> $fwcmd add pass all from ${oip} to any
>
> # UDP Section
>
> # Deny external netbios connections
> $fwcmd -q add deny udp from any 137 to any in via ${oif}
> $fwcmd -q add deny udp from any to any 137 in via ${oif}
>
> # allow all udp inside or outside
> $fwcmd -q add pass udp from any to any
>
> # Stop spoofing
> $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
> $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
>
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
>
> # Allow TCP through if setup succeeded
> $fwcmd add pass tcp from any to any established
>
> # Allow setup of ftp
> $fwcmd add pass tcp from any to ${oip} 20 setup
> $fwcmd add pass tcp from any to ${oip} 21 setup
>
> # Allow setup of ssh
> $fwcmd add pass tcp from any to ${oip} 22 setup
>
> #Allow incoming POP3 connections
> $fwcmd add pass tcp from any to any 110 setup
>
> # Allow setup of incoming email
> $fwcmd add pass tcp from any to ${oip} 25 setup
>
> # Allow access to our DNS
> $fwcmd add pass tcp from any to ${oip} 53 setup
>
> # Allow access to our WWW
> $fwcmd add pass tcp from any to ${oip} 80 setup
>
> # Allow access to HTTPS
> $fwcmd add pass tcp from any to ${oip} 443 setup
>
> # Allow access to webmin
> $fwcmd add pass tcp from any to ${oip} 10000 setup
>
> # allow misc remote ftp deamons to setup receiving ports
> $fwcmd -q add pass tcp from any to any 1024-4099 setup
> $fwcmd -q add pass tcp from any to any 40000-44999 setup
>
> # Everything else is denied as default.
>
> _______________________________________________
> Radicaux Libres Solutions technologiques
> Yves Berthiaume 4644 Parthenais
> T:514.529.0989 Montreal, Quebec
> F:514.529.4633 H2H 2G7
>
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000301112351.A37590>