Site Navigation

Date:      Thu, 29 Jun 2000 15:29:57 -0700
From:      "Robert M. Shields" <wildcard@bnswest.net>
To:        freebsd-questions@FreeBSD.org
Subject:   Re: DSL / Routing / ipfw issues
Message-ID:  <395BCDE4.C4276DBA@bnswest.net>
References:  <395A99D5.86C65388@bnswest.net> <003c01bfe16e$5729e9c0$0200a8c0@home.matrix.oss.uswest.net> <395AB9BF.C0618989@bnswest.net> <20000628224215.D451@dialin-client.earthlink.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

"Crist J. Clark" wrote:

> On Wed, Jun 28, 2000 at 07:51:43PM -0700, Robert M. Shields wrote:
> >   I had the firewall box enabled as a gateway with NAT onto the 2nd network to
> > begin with...  ( I guess that was relevant info,  huh? )  I could ping the fxp0
> > interface from any system on the LAN, but when I tried to reach the 675 on the
> > doze boxes, the packet would always time out.
> >
> >    Which is why I was looking into turning the firewall into a network bridge,
> > to avoid all that hoopla with running NAT twice.  It's my understanding while
> > acting a a bridge the firewall can just pass packets back and forth between
> > networks, just as if they were physically connected, without any name
> > translation or routing needed.   Or should I just say screw it, loose the
> > firewall and use the NAT and  packet filtering in the 675?
>
> No need to run NAT twice. If you just want the FreeBSD box for
> firewalling, do not bridge either. Just setup the FreeBSD box with
> firewalling and IP forwarding enabled. Make sure to add the route
> (lemme see if I remember my Cisco syntax),
>
>   ip route 192.168.123.0 0.0.0.255 10.0.0.1
>
> To the 675. Unless the 675 is a lot dumber than I would expect Cisco
> hardware to be, all should work.
>
> Just do the NAT at the 675. If you do NAT at FreeBSD, no need for NAT
> at the 675. Flip a coin.
> --

Ok... Took your advice and I'm still having some problems.

For some reason USWorst won't support what I'm doing.. i.e. they want every machine
on my network to DHCP the 675 for a IP address and the 675 then DHCP's uswest.net's
server for an IP address.  The 675 then provides NAT to the network.

   What I want to do is have all the boxes on my network keep their static ip's
except for the fpx0 interface on the DSL side, which I set to DHCP from the  DSL
(trying to workaround this config problem) and run NAT on my firewall.

The problem I'm having now is that NAT keeps outputting this error:
      natd[pid]: failed to write packet back (permission denied)

I can ping the outside world from my firewall box, but from nothing else on my
network.  I CANNOT ping the 675 from anywhere on the network, and likewise when I
ping my network from the 675.

Ipfw on LAN side is still 192.168.123.3
Ipfw on DSL side is DHCPing to 10.0.0.2
675 defaults to 10.0.0.1 on eth0 side (i did a memory reset)
and (of course) 675 picks up a public ip from uswest.net DHCP.

The default gateway on my LAN is setup as the firewall boxes' IP.

My Firewall rule set looks like this: (along with defaults in rc.firewall)
# Stop spoofing
${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any in via ${oif}
${fwcmd} add deny all from any to 10.0.0.0/8 out via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-01.txt nets on the outside interface
${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# HTTP - Allow outside access to web server
${fwcmd} add pass tcp from any to any 80 setup

# SMTP - Allow access to sendmail for incoming e-mail
${fwcmd} add pass tcp from any to any 25

# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to any 53
${fwcmd} add pass udp from any 53 to any
${fwcmd} add pass tcp from any to any 53
${fwcmd} add pass tcp from any 53 to any

# IDENT - Allow connections, but send reset
${fwcmd} add reset tcp from any to any 113 in recv ${oif}

# FTP - Allow outbound, deny inbound
${fwcmd} add pass tcp from any 20 to any setup
${fwcmd} add pass log tcp from any to any 20 setup
${fwcmd} add pass log tcp from any 21 to any setup
${fwcmd} add pass log tcp from any to any 21 setup

# SSH Login
${fwcmd} add pass tcp from any to any 22 setup
${fwcmd} add pass log tcp from any 22 to any setup

# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup

# SMB - Allow local traffic
${fwcmd} add pass udp from any to any 137-139 via ${iif}

# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${oif}
${fwcmd} add pass udp from any 123 to any via ${iif}
${fwcmd} add pass udp from any to any 123 via ${iif}

# ICMP - Allow ping, et. al., for testing
${fwcmd} add pass icmp from any to any

# TRACEROUTE - Allow for within 30 hops.
${fwcmd} add pass udp from any to any 33434-33463

# Reject broadcasts from outside interface
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 via ${oif}

# Reject&Log SMB connections from outside interface
${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}

# Reject&Log all other connections from outside interface
${fwcmd} add 65000 deny log ip from any to any via ${oif}

Any ideas?

Again, thanks for the help,

Robet M. Shields





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?395BCDE4.C4276DBA>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact