Date: Fri, 08 May 1998 04:30:11 GMT From: jak@cetlink.net (John Kelly) To: Slyce <slyce@onramp.net> Cc: FreeBSD Questions <questions@FreeBSD.ORG> Subject: sample ip-up and ip-down scripts, firewall, IPFW, NATD Message-ID: <3553820c.230163860@mail.cetlink.net> In-Reply-To: <3551E7BB.A9452172@onramp.net> References: <3551E7BB.A9452172@onramp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 07 May 1998 11:56:27 -0500, Slyce <slyce@onramp.net> wrote: > scripts to start and stop kernel ppp sessions to local isp's??? OOPS! Hit the send button too quick last time. Let's try again. The following includes support for a firewall/NATD setup. It took a long time to iron out all the details, BTW. I wish someone had posted something similar when I started out -- it would have saved me a lot of time. /etc/ppp/pap-secrets > bozotheclown bigtimeisp password /etc/ppp/options > crtscts > nobsdcomp > nopredictor1 > asyncmap 00000000 > lcp-max-configure 5 /etc/ppp/ispstart > #!/bin/sh > # Clear firewall rules > fwcmd="/sbin/ipfw -q" > $fwcmd -f flush > $fwcmd add 65000 pass all from any to any > # Clear ppp log > cp /dev/null /var/log/ppp.log > # Fire it up > pppd /dev/cuaa0 115200 persist holdoff 65 defaultroute \ > connect /etc/ppp/ispchat remotename bigtimeisp name bozotheclown /etc/ppp/ispchat (for 3Com Impact IQ external ISDN) > chat -v -t 5 \ > ABORT 'ERROR' ABORT 'NO DIALTONE' ABORT 'BUSY' \ > ABORT 'NO ANSWER' ABORT 'NO CARRIER' \ > '' 'AT&F' OK 'AT S60=64 S61=2 S70=0 S71=1 S76=0 S80=0' \ > OK 'ATD 555-5555' TIMEOUT 20 CONNECT '\c' '\r' /etc/ppp/ip-up (Stub, in case other lines for PPPD dial-in) > #!/bin/sh > > if [ x$2 = x"/dev/cuaa0" ]; then > exec /etc/ppp/ip-up2 $* > fi /etc/ppp/ip-up2 (Set up firewall rules and start NATD last) > #!/bin/sh > # fwcmd="/sbin/ipfw -q" > fwcmd="/sbin/ipfw" > # set these to your outside interface, network, netmask, and ip > oif=$1 > onet=$4 # doesn't really matter, I don't use it > omask=" you-figure-it-out " > oip=$4 > # if you have a registered subnet, set these to your *registered* > # inside network, netmask, and ip. If not, delete the firewall rules > # (below) which reference them. > rinet=" you-figure-it-out " > rimask=" you-figure-it-out " > riip=" you-figure-it-out " > # set these to your unregistered inside network, netmask, and ip > uinet=" you-figure-it-out " > uimask=" you-figure-it-out " > uiip=" you-figure-it-out " > # Loopback but no spoofers > $fwcmd add 1110 pass all from any to any via lo0 > $fwcmd add 1120 deny all from 127.0.0.0/8 to 127.0.0.0/8 > # Other spoofing > $fwcmd add 1210 deny all from ${rinet}:${rimask} to any in via ppp0 > $fwcmd add 1220 deny all from ${oip} to any in via ${riip} > $fwcmd add 1222 deny all from ${oip} to any in via ${uiip} > # Stop RFC1918 nets on the outside interface > $fwcmd add 1310 deny all from 192.168.0.0:255.255.0.0 to any via ppp* > $fwcmd add 1320 deny all from 172.16.0.0:255.240.0.0 to any via ppp* > $fwcmd add 1330 deny all from 10.0.0.0:255.0.0.0 to any via ppp* > # Allow TCP through if setup succeeded > $fwcmd add 2110 pass tcp from any to any established > # Allow setup of incoming email > $fwcmd add 2120 pass tcp from any to ${riip} 25 setup > # Allow access to our DNS > $fwcmd add 2130 allow udp from any to ${riip} 53 > $fwcmd add 2131 allow tcp from any to ${riip} 53 setup > $fwcmd add 2132 allow udp from ${riip} to any 53 > $fwcmd add 2133 allow tcp from ${riip} to any 53 > $fwcmd add 2134 allow udp from any to ${oip} 53 > $fwcmd add 2135 allow tcp from any to ${oip} 53 setup > $fwcmd add 2136 allow udp from ${oip} to any 53 > $fwcmd add 2137 allow tcp from ${oip} to any 53 > $fwcmd add 2138 allow udp from any 53 to ${oip} > # Allow access to our WWW > $fwcmd add 2140 pass tcp from any to ${riip} 80 setup > # Allow Netscape reverse authentication > $fwcmd add 2150 pass tcp from any to ${oip} 113 setup > $fwcmd add 2152 pass tcp from any to ${riip} 113 setup > # Allow ports collection FTP connections > $fwcmd add 2160 pass tcp from any 20,21 to any in via ${oip} setup > # Allow NTP > $fwcmd add 2170 allow udp from ${oip} 123 to any 123 > $fwcmd add 2172 allow udp from any 123 to ${oip} 123 > # Reject and log all setup of other incoming connections from the outside > $fwcmd add 2995 deny log tcp from any to any in via ${oip} setup > # Allow setup of any other (inside) TCP connection > $fwcmd add 2997 pass tcp from any to any setup > # Squelch inbound WAN broadcasts > $fwcmd add 3210 deny udp from any to 0.0.0.255:0.0.0.255 in via ppp* > # Squelch inbound WAN multicast > $fwcmd add 3216 allow log ip from any to 224.0.0.0/4 > $fwcmd add 3217 allow log ip from 224.0.0.0/4 to any > # Allow outbound UDP from registered hosts (for traceroute) > $fwcmd add 3310 allow udp from ${rinet}:${rimask} to any out via ppp0 > $fwcmd add 3312 allow udp from ${rinet}:${rimask} to any in via ed0 > # Allow all UDP on the local net > $fwcmd add 3410 allow udp from ${rinet}:${rimask} to ${rinet}:${rimask} > $fwcmd add 3412 allow udp from ${uinet}:${uimask} to ${uinet}:${uimask} > $fwcmd add 3420 allow udp from ${rinet}:${rimask} to ${uinet}:${uimask} > $fwcmd add 3422 allow udp from ${uinet}:${uimask} to ${rinet}:${rimask} > # Deny outbound UDP from NAT hosts > $fwcmd add 3510 deny log udp from any to any > # Allow ICMP > $fwcmd add 65010 allow icmp from any to any > # Deny and log everything else > $fwcmd add 65534 deny log all from any to any > $fwcmd delete 65000 > $fwcmd zero 65535 > # NATD > $fwcmd add 150 divert natd all from any to any via $1 > /usr/sbin/natd -u -interface $1 /etc/ppp/ip-down (take down NATD and clear firewall rules) > #!/usr/local/bin/bash > if [ x$2 = x"/dev/cuaa0" ]; then > kill `cat /var/run/natd.pid` > $fwcmd="/sbin/ipfw -q" > $fwcmd -f flush > $fwcmd add 65000 pass all from any to any > fi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3553820c.230163860>