Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 8 Apr 1996 17:55:24 +0200 (MET DST)
From:      Andreas Klemm <andreas@knobel.gun.de>
To:        current@freebsd.org
Subject:   rc.firewall has some syntax errors and sample config hangs machine
Message-ID:  <Pine.BSF.3.92.960408170210.210A-100000@knobel.gun.de>
next in thread | raw e-mail | index | archive | help 
-----BEGIN PGP SIGNED MESSAGE-----

Hi !

I tried to use the example firewall configuration from
/etc/rc.firewall and had some serious problems.

- - syntax errors in /etc/rc.firewall
- - machine hangs during access to internet and simply reboots

I compiled my kernel with both options:

	option IPFIREWALL
	option IPFIREWALL_VERBOSE

My Ethernet / PPP configuration (on demand dialup ppp):

ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 149.237.250.1 netmask 0xffffff00 broadcast 149.237.250.255
	ether 00:00:c0:25:fd:2d
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
	inet 192.109.159.141 --> 192.109.159.13 netmask 0xffffff00
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 16384
	inet 127.0.0.1 netmask 0xff000000

At the very beginning of my experiments I used the 1st
example from /etc/rc.firewall :

%-------------------------------------------------------------------------
# problems or you just want to disallow some particular kinds of traffic
# they you will want to change the default policy to open.

# /sbin/ipfw add 65000 pass all from any to any

############
# Only in rare cases do you want to change this rule
/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1

############
# This is a prototype setup that will protect your system somewhat against
# people from outside your own network.
#
# To enable simply change "false" to "true" in the if line and set the
# variables to your network parameters

if false ; then
    # set these to your network and netmask and ip
    net="192.168.4.0"
    mask="255.255.255.0"
    ip="192.168.4.17"

    # Allow any traffic to or from my own net.
    /sbin/ipfw add pass all from ${ip} to ${net}:${mask}
    /sbin/ipfw add pass all from ${net}:${mask} to ${ip}

[...and so on....]
%-------------------------------------------------------------------------

When I rebooted my machine and activated PPP over modem with the command
		ppp -auto ondemand
I was completely unable to dial out to internet. When I tried to do
a 'ping a@b.com' I only get 'unknown host' as message. Without
the firewall configuration my machine should have dialed up to my
ISP and ask his nameserver, because I use resolver services...

resolv.conf:
domain		gun.de
nameserver	192.109.159.1

After that I changed the configuration to allow everything, to
see, if the ipfw and kernel stuff runs at all.. I used only those
two lines in /etc/rc.firewall:

/sbin/ipfw add 65000 pass all from any to any
/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1

With that configuration turned on, everything works fine
again. Ok, so I know, that I have only a firewall configuration
problem. With that configration I had no trouble so far...


When trying out the 2nd example firewall configuration from
/etc/rc.firewall I first noticed some syntax errors reported
by ipfw...

Here the complete log from sh -x rc.firewall:

+ /sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1
01000 allow all from 127.0.0.1 to 127.0.0.1
+ false
+ true
+ oif=tun0
+ onet=192.109.159.0
+ omask=255.255.255.0
+ oip=192.109.159.141
+ iif=ed0
+ inet=149.237.250.0
+ imask=255.255.255.0
+ iip=149.237.250.1
+ /sbin/ipfw add deny all from 149.237.250.0:255.255.255.0 to any in via tun0
2 via
/sbin/ipfw: ERROR - Unknown argument

Usage:
[... lots of usage messages deleted ...]

+ /sbin/ipfw add deny all from 192.109.159.0:255.255.255.0 to any in via ed0
2 via
/sbin/ipfw: ERROR - Unknown argument

Usage:
[... lots of usage messages deleted ...]

+ /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via tun0
00000 deny all from 192.168.0.0 to any via tun0
+ /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via tun0
00000 deny all from 172.16.0.0 to any via tun0
+ /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via tun0
00000 deny all from 10.0.0.0 to any via tun0
+ /sbin/ipfw add deny tcp from any to any established
00000 deny tcp from any to any established
+ /sbin/ipfw add pass tcp from any to 192.109.159.141 25 setup
00000 allow tcp from any to 192.109.159.141 25 setup
+ /sbin/ipfw add pass tcp from any to 192.109.159.141 53 setup
00000 allow tcp from any to 192.109.159.141 53 setup
+ /sbin/ipfw add pass tcp from any to 192.109.159.141 80 setup
00000 allow tcp from any to 192.109.159.141 80 setup
+ /sbin/ipfw add deny log tcp from any to any in via tun0 setup
3 via
/sbin/ipfw: ERROR - Unknown argument
[... lots of usage messages deleted ...]

+ /sbin/ipfw add pass tcp from any to any setup
00000 allow tcp from any to any setup
+ /sbin/ipfw add pass udp from any 53 to 192.109.159.141
00000 allow udp from any 53 to 192.109.159.141
+ /sbin/ipfw add pass udp from 192.109.159.141 to any 53
00000 allow udp from 192.109.159.141 to any 53
+ /sbin/ipfw add pass udp from any 123 to 192.109.159.141
00000 allow udp from any 123 to 192.109.159.141
+ /sbin/ipfw add pass udp from 192.109.159.141 to any 123
00000 allow udp from 192.109.159.141 to any 123

I could fix the error messages by simply removing the token
"in" from the bogus command line. For example:
Changed this: /sbin/ipfw add deny log tcp from any to any in via tun0 setup
to that     : /sbin/ipfw add deny log tcp from any to any via tun0 setup

The above trace shows you, that I changed the IP Adresses (I hope)
properly for the firewall configuration. I simply treat my dialup
interface like an ethernet interface to the outside world.

+ oif=tun0
+ onet=192.109.159.0
+ omask=255.255.255.0
+ oip=192.109.159.141

+ iif=ed0
+ inet=149.237.250.0
+ imask=255.255.255.0
+ iip=149.237.250.1

After making the 2nd example run, I tried to ping outside.
My machine dialed up to my ISP's machine. So good so far.
But I was unable to ping to a host outside, because permission
for that were denied (the firewall config).

After starting cached and trying to browse the WWW the machine
simply hangs ... Not immediately ... about 1-2 minutes.

This happened 2 times... And here what the messages file say to me :

Apr  8 16:53:14 knobel /kernel: IP firewall initialized
Apr  8 16:55:35 knobel /kernel: Connection attempt to UDP 192.109.159.141:1024 from 192.109.159.141:53
Apr  8 16:55:35 knobel /kernel: Connection attempt to UDP 192.109.159.141:1025 from 192.109.159.141:53
Apr  8 16:55:35 knobel /kernel: Connection attempt to UDP 192.109.159.141:1026 from 192.109.159.141:53
Apr  8 16:55:59 knobel /kernel: ipfw: 1800 Deny TCP 192.109.159.141:1025 192.109.159.3:23
Apr  8 16:56:37 knobel /kernel: ipfw: 1800 Deny TCP 192.109.159.141:1029 198.95.249.78:80
Apr  8 16:57:01 knobel /kernel: ipfw: 1800 Deny TCP 192.109.159.141:1050 194.77.8.1:80
Apr  8 17:01:36 knobel /kernel: panic: free: multiple frees
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Apr  8 17:01:36 knobel /kernel:
Apr  8 17:01:36 knobel /kernel: syncing disks... FreeBSD 2.2-CURRENT #0: Mon Apr  8 15:38:06 MET DST 1996
[........ reboot ...........]


One final wish ...

Could someone please check the rc.firewall script, correct the
errors and perhaps provide a better working example for a via Modem
connected machine to an ISP ?!

Things that should be possible (please correct me if I'm wrong)

outgoing icmp (ping)
outgoing telnet
outgoing rlogin
outgoing smtp messages (optional)
outgoing uucp via tcp/ip
outgoing www requests to www and proxy servers
outgoing DNS queries

incoming icmp (ping)
incoming smtp messages (optional)
incoming www queries to own WWW server
incoming DNS queries


Thanks !!! BTW: the firewall stuff is really cool, ... but
it's horrible to understand each bit and byte ...

One really fine working firewall example in rc.firewall would be
fine...

If you need someone to test a configuration ... here I am ...
In the meantime I'll try to roll a working ony myself ...

	Andreas ///

- --
andreas@knobel.gun.de         /\/\___      Wiechers & Partner Datentechnik GmbH
   Andreas Klemm          ___/\/\/         $$  Support Unix - aklemm@wup.de  $$
pgp p-key  http://www-swiss.ai.mit.edu/~bal/pks-toplev.html  >>> powered by <<<
ftp://sunsite.unc.edu/pub/Linux/system/Printing/aps-491.tgz  >>>    FreeBSD <<<

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMWk27fMLpmkD/U+FAQG7twP9FYd3b9kwooo90E3A/oANTfJSmpkr6etO
XDyC44E8NOEgN+eS0THoHfiBdXETTHehW1mxiOEoFlA5x4ZnKZJuKsJ2peaCT1Np
RLLGZlGq2+pGKjQp0A710AcWN8qaMnh+U7qcigSko6S9ccB2X3hiBcxj+cME8jI0
pCU6Di6+Cr4=
=hveo
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.92.960408170210.210A-100000>