Date: Fri, 14 Apr 2000 21:07:40 +0200 From: Marc Silver <marcs@draenor.org> To: freebsd-doc@freebsd.org Subject: ipfw and nat over ppp documentation Message-ID: <20000414210740.U19472@draenor.org>
next in thread | raw e-mail | index | archive | help
Hey there, I have written the following documentation on how to set up ipfw over a ppp connection. I hope this is the right place to submit it, but if not, please let me know. A copy of this (for better viewing) is at http://draenor.org/ipfw Something like this is missing from the FAQ and handbook (or if it's there I certainly missed it) so perhaps it could be included with a bit of work?? Thanks, Marc IPFW and NATD over a dynamically assigned IP over PPP connection ================================================================ This page serves to document how to setup a firewall using a PPP dialup with FreeBSD and IPFW. If there are any problems with this page, please email me. The page was simply created as a reference to users who need more information than that provided in the handbook. It deals specifically with firewalling over a dialup. The first thing you'll need to do is recompile your kernel is FreeBSD. If you need more information on how to recompile the kernel, then the best place to start is http://www.freebsd.org/handbook/kernelconfig.html. You need to compile the following options into the kernel: IPFIREWALL IPFIREWALL_VERBOSE IPFIREWALL_VERBOSE_LIMIT=100 IPDIVERT IPFIREWALL <--> tells the kernel that you want to enable IP firewalling. IPFIREWALL_VERBOSE <--> tells the kernel that you want verbose logging. IPFIREWALL_VERBOSE_LIMIT <--> specify the amount of repeated messages before IPFW stops logging the attempt. IPDIVERT <--> this is required in order to divert packets with natd. Don't reboot once you have recompiled the kernel. Hopefully, we will need to reboot just once in order to complete the installing of the firewall. We now need to make some changes to /etc/rc.conf in order to tell it about the firewall. Simply add the following lines. firewall_enable="YES" firewall_script="/etc/firewall/fwrules" natd_enable="YES" natd_interface="tun0" natd_flags="-dynamic" ppp_enable="YES" ppp_mode="auto" ppp_nat="NO" ppp_profile="YOURPROFILE" For more information on what the above do take a look at /etc/defaults/rc.conf. Make sure to change ppp_profile name to match your profile in /etc/ppp/ppp.conf We're nearly done now. All that remains now is to define the firewall rules and then we can reboot and the firewall should be up and running. I realise that everyone will want something slightly different when it comes to their rulebase. What I've tried to do is write a rulebase that suits most dialup users. You can obviously modify it to your needs by simply using the following rules as the foundation for your own rulebase. Please note that the following while I've tested it rather extensively may not the most perfect rulebase. :) First, let's start with the basics of firewalling. What you want to do is deny everything by default and then only open up for the things you really need. Rules should be in the order of allow first and then deny. The premis is that you add the rules for your allows, and then everything else is denied. :) Now, let's make the dir /etc/firewall. Change into the directory and edit the file fwrules as we specified in rc.conf. Please note that you can change this filename to be anything you wish. This guide just gives an example of a filename. Now, let's look at a sample firewall file, and we'll detail everything in it. <-------------------- Start Here -------------------> # Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable # # # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. # # fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. # # $fwcmd -f flush # Divert all packets through the tunnel interface. # # $fwcmd add divert natd all from any to any via tun0 # Allow all data from my network card and localhost. # # $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via fxp0 # Allow all connections that I initiate. # # $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. # # $fwcmd add allow tcp from any to any via tun0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example shows that people may connect # to ssh and apache. # # $fwcmd add pass log tcp from any to any 80 setup $fwcmd add pass log tcp from any to any 22 setup # This sends a RESET to all ident packets. # # $fwcmd add reset log tcp from any to any 113 in recv tun0 # Allow outgoing DNS queries ONLY to the specified servers. # # $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 # Allow them back in with the answers... :) # # $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. # # $fwcmd add 65435 allow icmp from any to any # Deny all the rest. # # $fwcmd add 65435 deny log ip from any to any <-------------------- End Here -------------------> You now have a fully functional firewall that will allow on connections to ports 80 and 22 and will log any other connection attempts. Now, you should be able to safely reboot and your firewall should come up fine. If you find this incorrect in anyway or experience any problems, or have any suggestions to improve this page, please email me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000414210740.U19472>