Date: Fri, 08 May 1998 04:30:11 GMT From: jak@cetlink.net (John Kelly) To: Slyce <slyce@onramp.net> Cc: FreeBSD Questions <questions@FreeBSD.ORG> Subject: sample ip-up and ip-down scripts, firewall, IPFW, NATD Message-ID: <3553820c.230163860@mail.cetlink.net> In-Reply-To: <3551E7BB.A9452172@onramp.net> References: <3551E7BB.A9452172@onramp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 07 May 1998 11:56:27 -0500, Slyce <slyce@onramp.net> wrote:
> scripts to start and stop kernel ppp sessions to local isp's???
OOPS! Hit the send button too quick last time. Let's try again.
The following includes support for a firewall/NATD setup. It took a
long time to iron out all the details, BTW. I wish someone had posted
something similar when I started out -- it would have saved me a lot
of time.
/etc/ppp/pap-secrets
> bozotheclown bigtimeisp password
/etc/ppp/options
> crtscts
> nobsdcomp
> nopredictor1
> asyncmap 00000000
> lcp-max-configure 5
/etc/ppp/ispstart
> #!/bin/sh
> # Clear firewall rules
> fwcmd="/sbin/ipfw -q"
> $fwcmd -f flush
> $fwcmd add 65000 pass all from any to any
> # Clear ppp log
> cp /dev/null /var/log/ppp.log
> # Fire it up
> pppd /dev/cuaa0 115200 persist holdoff 65 defaultroute \
> connect /etc/ppp/ispchat remotename bigtimeisp name bozotheclown
/etc/ppp/ispchat (for 3Com Impact IQ external ISDN)
> chat -v -t 5 \
> ABORT 'ERROR' ABORT 'NO DIALTONE' ABORT 'BUSY' \
> ABORT 'NO ANSWER' ABORT 'NO CARRIER' \
> '' 'AT&F' OK 'AT S60=64 S61=2 S70=0 S71=1 S76=0 S80=0' \
> OK 'ATD 555-5555' TIMEOUT 20 CONNECT '\c' '\r'
/etc/ppp/ip-up (Stub, in case other lines for PPPD dial-in)
> #!/bin/sh
>
> if [ x$2 = x"/dev/cuaa0" ]; then
> exec /etc/ppp/ip-up2 $*
> fi
/etc/ppp/ip-up2 (Set up firewall rules and start NATD last)
> #!/bin/sh
> # fwcmd="/sbin/ipfw -q"
> fwcmd="/sbin/ipfw"
> # set these to your outside interface, network, netmask, and ip
> oif=$1
> onet=$4 # doesn't really matter, I don't use it
> omask=" you-figure-it-out "
> oip=$4
> # if you have a registered subnet, set these to your *registered*
> # inside network, netmask, and ip. If not, delete the firewall rules
> # (below) which reference them.
> rinet=" you-figure-it-out "
> rimask=" you-figure-it-out "
> riip=" you-figure-it-out "
> # set these to your unregistered inside network, netmask, and ip
> uinet=" you-figure-it-out "
> uimask=" you-figure-it-out "
> uiip=" you-figure-it-out "
> # Loopback but no spoofers
> $fwcmd add 1110 pass all from any to any via lo0
> $fwcmd add 1120 deny all from 127.0.0.0/8 to 127.0.0.0/8
> # Other spoofing
> $fwcmd add 1210 deny all from ${rinet}:${rimask} to any in via ppp0
> $fwcmd add 1220 deny all from ${oip} to any in via ${riip}
> $fwcmd add 1222 deny all from ${oip} to any in via ${uiip}
> # Stop RFC1918 nets on the outside interface
> $fwcmd add 1310 deny all from 192.168.0.0:255.255.0.0 to any via ppp*
> $fwcmd add 1320 deny all from 172.16.0.0:255.240.0.0 to any via ppp*
> $fwcmd add 1330 deny all from 10.0.0.0:255.0.0.0 to any via ppp*
> # Allow TCP through if setup succeeded
> $fwcmd add 2110 pass tcp from any to any established
> # Allow setup of incoming email
> $fwcmd add 2120 pass tcp from any to ${riip} 25 setup
> # Allow access to our DNS
> $fwcmd add 2130 allow udp from any to ${riip} 53
> $fwcmd add 2131 allow tcp from any to ${riip} 53 setup
> $fwcmd add 2132 allow udp from ${riip} to any 53
> $fwcmd add 2133 allow tcp from ${riip} to any 53
> $fwcmd add 2134 allow udp from any to ${oip} 53
> $fwcmd add 2135 allow tcp from any to ${oip} 53 setup
> $fwcmd add 2136 allow udp from ${oip} to any 53
> $fwcmd add 2137 allow tcp from ${oip} to any 53
> $fwcmd add 2138 allow udp from any 53 to ${oip}
> # Allow access to our WWW
> $fwcmd add 2140 pass tcp from any to ${riip} 80 setup
> # Allow Netscape reverse authentication
> $fwcmd add 2150 pass tcp from any to ${oip} 113 setup
> $fwcmd add 2152 pass tcp from any to ${riip} 113 setup
> # Allow ports collection FTP connections
> $fwcmd add 2160 pass tcp from any 20,21 to any in via ${oip} setup
> # Allow NTP
> $fwcmd add 2170 allow udp from ${oip} 123 to any 123
> $fwcmd add 2172 allow udp from any 123 to ${oip} 123
> # Reject and log all setup of other incoming connections from the outside
> $fwcmd add 2995 deny log tcp from any to any in via ${oip} setup
> # Allow setup of any other (inside) TCP connection
> $fwcmd add 2997 pass tcp from any to any setup
> # Squelch inbound WAN broadcasts
> $fwcmd add 3210 deny udp from any to 0.0.0.255:0.0.0.255 in via ppp*
> # Squelch inbound WAN multicast
> $fwcmd add 3216 allow log ip from any to 224.0.0.0/4
> $fwcmd add 3217 allow log ip from 224.0.0.0/4 to any
> # Allow outbound UDP from registered hosts (for traceroute)
> $fwcmd add 3310 allow udp from ${rinet}:${rimask} to any out via ppp0
> $fwcmd add 3312 allow udp from ${rinet}:${rimask} to any in via ed0
> # Allow all UDP on the local net
> $fwcmd add 3410 allow udp from ${rinet}:${rimask} to ${rinet}:${rimask}
> $fwcmd add 3412 allow udp from ${uinet}:${uimask} to ${uinet}:${uimask}
> $fwcmd add 3420 allow udp from ${rinet}:${rimask} to ${uinet}:${uimask}
> $fwcmd add 3422 allow udp from ${uinet}:${uimask} to ${rinet}:${rimask}
> # Deny outbound UDP from NAT hosts
> $fwcmd add 3510 deny log udp from any to any
> # Allow ICMP
> $fwcmd add 65010 allow icmp from any to any
> # Deny and log everything else
> $fwcmd add 65534 deny log all from any to any
> $fwcmd delete 65000
> $fwcmd zero 65535
> # NATD
> $fwcmd add 150 divert natd all from any to any via $1
> /usr/sbin/natd -u -interface $1
/etc/ppp/ip-down (take down NATD and clear firewall rules)
> #!/usr/local/bin/bash
> if [ x$2 = x"/dev/cuaa0" ]; then
> kill `cat /var/run/natd.pid`
> $fwcmd="/sbin/ipfw -q"
> $fwcmd -f flush
> $fwcmd add 65000 pass all from any to any
> fi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3553820c.230163860>