From owner-freebsd-questions Sun Jan 7 13:55:52 2001 Delivered-To: freebsd-questions@freebsd.org Received: from sm8.texas.rr.com (sm8.texas.rr.com [24.93.35.220]) by hub.freebsd.org (Postfix) with ESMTP id A2FF037B400 for ; Sun, 7 Jan 2001 13:55:30 -0800 (PST) Received: from satx.rr.com (cs160144-62.satx.rr.com [24.160.144.62]) by sm8.texas.rr.com (8.11.0/8.11.1) with ESMTP id f07Llhs14868 for ; Sun, 7 Jan 2001 15:47:43 -0600 Message-ID: <3A58E5D1.69A6D302@satx.rr.com> Date: Sun, 07 Jan 2001 15:55:29 -0600 From: blaz X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: firewall problems Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG greetings, I added the following to my kernel and rebuilt: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT then I added to /etc/rc.conf: gateway_enable="YES" firewall_enable="YES" natd_enable="YES" natd_interface="xl0" # my NIC connected to cable modem natd_flags="-dynamic" firewall_script="/etc/rc.firewall.new" then to my rc.firewall.new script is where I am getting confused.. not with the rules, but the variables I need to supply: #Define your variables # fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="oifx" #set to outside interface name onwr="a.b.c.d/24" #set to outside network range oip="a.b.c.d" #set to outside ip address iif="ifx" #set to internal interface name inwr="x.y.z.x/24" #set to internal network range iip="x.y.z.x" #set to internal ip address ns1="e.f.g.h" #set to primary name server best if = oif #ntp="i.j.k.l" #set to ip of NTP server or leave as is below is what I supplied, and when I type to ping to local network I get TCP/IP denied.. its blocking the packets and I don't think its the rules, but the interface information. I will supply the rules at the end, in case it is -- I am going by an article I read on bsdtoday.com.. anyway here is what I supplied: fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="xl0" #set to outside interface name onwr="255.255.255.0" #set to outside network range I am not sure about this.. oip="my ip" #set to outside ip address I use DHCP, but supplied current IP this has to be wrong iif="xl1" #set to internal interface name inwr="192.168.2/24" #set to internal network range iip="192.168.2.1" #set to internal ip address ns1="my name server" #set to primary name server best if = oif ntp="clock.isc.org" #set to ip of NTP server or leave as is I know I must have this screwerd up :) but here my rules in case its not: # Rules with descriptions # # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via $oif $fwcmd add deny all from 169.254.0.0/16 to any in via $oif $fwcmd add deny all from 192.0.2.0/24 to any in via $oif $fwcmd add deny all from 224.0.0.0/4 to any in via $oif $fwcmd add deny all from 240.0.0.0/4 to any in via $oif $fwcmd add deny all from any to 0.0.0.0/8 in via $oif $fwcmd add deny all from any to 169.254.0.0/16 in via $oif $fwcmd add deny all from any to 192.0.2.0/24 in via $oif $fwcmd add deny all from any to 224.0.0.0/4 in via $oif $fwcmd add deny all from any to 240.0.0.0/4 in via $oif # # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established # # Allow incomming requests to reach the following services: # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup $fwcmd add allow tcp from any to $oip 22 setup # # NOTE: you may have to change your client to passive or active mode # to get ftp to work once enabled, only ssh enabled by default. # 21:ftp # 22:ssh enabled by default # 23:telnet # 25:smtp # 110:pop # 143:imap # 80:http # 443:ssl # # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. # $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). $fwcmd add allow udp from any 53 to $ns1 53 # # Allow time update traffic # $fwcmd add allow udp from $ntp 123 to $oip 123 # # Checks packets against dynamic rule set below. $fwcmd add check-state # # Allow any traffic from firewall ip to any going out the # external interface $fwcmd add allow ip from $oip to any keep-state out via $oif # # Allow any traffic from local network to any passing through the # internal interface $fwcmd add allow ip from $inwr to any keep-state via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message