From owner-freebsd-doc Wed Jan 10 14:27: 9 2001 Delivered-To: freebsd-doc@freebsd.org Received: from wgs1.btl.net (wgs1.btl.net [206.27.238.5]) by hub.freebsd.org (Postfix) with ESMTP id C245337B699 for ; Wed, 10 Jan 2001 14:26:45 -0800 (PST) Received: from nightfall.btl.net ([206.27.245.29]) by wgs1.btl.net (Netscape Messaging Server 3.6) with ESMTP id AAA5E1D for ; Wed, 10 Jan 2001 16:28:19 +0600 Message-Id: <5.0.0.25.2.20010110162045.03bb0590@pop3.norton.antivirus> X-Sender: buckland/btlmail.btl.net@pop3.norton.antivirus X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Wed, 10 Jan 2001 16:27:36 -0600 To: doc@FreeBSD.org From: "Robert M. Buckland" Subject: dialup firewall with FreeBSD Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I once asked for help in a dialup firewall solution that I implemented for our network and I got help - I hope someone out there can help again. I have gotten all the machines on our internal network to get out but I need to route some traffic back in. I have been able to get the internal network out on the net using pppd and natd and kernel mode ipfw is enabled. However I have been having trouble with getting some traffic in. Basically while the internal machines can get out with no problems I need some traffic to come in. I need web requests that are sent to to port 80 of the firewall machine be redirected to a webserver on the internal network. I also need mail coming in for the network to be redirected to that same server on the internal network. Let me detail the current setup: I have currently set the firewall type to "open" in rc.conf. I figured that I should not try to use rules until I get the service properly established between the internal and external networks. Hence I commented out the firewall rules file and set it to open in rc.conf as follows: >firewall_enable="YES" >firewall_type="open" >#firewall_type="/etc/firewall/fwrules" I have tried to use natd with the -redirect_port option but I have trouble with it. The system seems to work fine when I set the natd startup to -dynamic but when I try to call the natd.conf file it doesn't work and I not get out. hence I also have that commented out in rc.conf as follows: >natd_enable="YES" >natd_interface="ppp0" >natd_flags="-dynamic" >#natd_flags="-f /etc/natd.conf" My natd.conf file that I was trying to call looks like this: >interface ppp0 >use_sockets yes >same_ports yes >redirect_port tcp 89.0.0.14:80 80 >redirect_port udp 89.0.0.14:80 80 >redirect_port tcp 89.0.0.14:110 110 >redirect_port udp 89.0.0.14:110 110 89.0.0.14 is the server on the other end of the crossover cable (the DMZ) that has web and mail services running. That machine is an NT fileserver that has a webserver (IIS) and a mail server that supports POP, IMAP and HTTP access. The mailserver's web component runs on 8383 but I am hoping that I can do a redirect on that server from port 80. If not I will need to also explicitly place the redirect on the FreeBSD box. Also, I have not started using my firewall rules. Should I use this instead of natd and redirects? Which is the best way to do this? I do have a firewall rules file set up as below: >#Define the firewall command for easy reference >fwcmd="/sbin/ipfw" > >#Flush the rules before reloading >$fwcmd -f flush > >#Divert all packets through the tunnel interface >$fwcmd add divert natd all from any to any via ppp0 > >#Allow all data from nic and localhost >$fwcmd add allow ip from any to any via lo0 >$fwcmd add allow ip from any to any via de0 > >#Allow all connections initiated from Sentinel >$fwcmd add allow tcp from any to any out xmit ppp0 setup > >#Allow established connections to stay open >$fwcmd add allow tcp from any to any via ppp0 established > >#Allow Internet connections to specific services >$fwcmd add allow tcp from any to any 80 setup >$fwcmd add allow tcp from any to any 21 setup >$fwcmd add allow tcp from any to any 22 setup >$fwcmd add allow tcp from any to any 23 setup > >#Reset all ident packets >$fwcmd add reset log tcp from any to any 113 in recv ppp0 > >#Allow outgoing DNS queries to specific DNS servers >$fwcmd add allow udp from any to x.x.x.x 53 out xmit ppp0 >$fwcmd add allow udp from any to x.x.x.x 53 out xmit ppp0 >$fwcmd add allow upp from any to 89.0.0.14 out xmit de0 > >#Allow ICMP (for ping and traceroute to work for testing) >#Remember to disallow this when no longer needed >$fwcmd add 65435 allow icmp from any to any > >#Deny all the rest >$fwcmd add 65435 deny log ip from any to any This firewall rules set is based on the one I got from your tutorial but it doesn't seem to work when I call it. This is the result when I type "ifconfig -a" >de0: flags=8843 mtu 1500 > inet 89.0.0.10 netmask 0xfffffff0 broadcast 89.0.0.15 > inet6 fe80::200:c0ff:fe70:dbe6%de0 prefixlen 64 scopeid 0x1 > ether 00:00:c0:70:db:e6 > media: autoselect (10baseT/UTP) status: active > supported media: autoselect 10base5/AUI 10base2/BNC 10baseT/UTP > 10baseT/UTP >lp0: flags=8810 mtu 1500 >sl0: flags=c010 mtu 552 >ppp0: flags=8051 mtu 1500 > inet x.x.x.101 --> x.x.x.98 netmask 0xffffff00 >lo0: flags=8049 mtu 16384 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 >gif0: flags=8010 mtu 1280 >gif1: flags=8010 mtu 1280 >gif2: flags=8010 mtu 1280 >gif3: flags=8010 mtu 1280 >faith0: flags=8000 mtu 1500 Note that I have replaced the public IP with "x" for security reasons since I am sending this via plain text. I am willing to trust someone with more details such as actual IPs but I would send that information via PGP. Also note that I am using 89.0.0.0/16 as a Private Block. I always thought that Internic had also assigned 89.* as a class A private IP block. It was pointed out to me that this is incorrect so I will change the crossover link to 172. However I don't think that has anything to do with my current dilemma. I do hope someone can help since I convinced my manager that the FreeBSD solution I implemented is a good solution and more robust that plugging in his NT servers directly. I need to have him see his website and get mail in and he'll be happy. Mail can be sent out from the domain but of course it can't be received as yet. Robert Buckland -------------------------------------------------------------------------- ORIGINAL MESSAGE -------------------------------------------------------------------------- I'm hoping someone out there can help... I've set up a FreeBSD 4.1 machine to act as a firewall routing packets between my internal and external network. I followed your dialup firewall tutorial and recompiled my kernel as you suggested, adding the IPFILTER and IPDIVERT options. I then added the firewall and natd options to my rc.conf file. Upon boot the ipfirewall options and divert are enabled however natd reports that it cannot find the tun0 interface - that it is not a valid interface. I do have the -dynamic tag but pppd does not start until much later - I have it in rc.d as "000pppd.sh" but even though it is the first to start there this still occurs after natd has initialized. I have tried userppp which I can get to use nat but I can't get it to autostart as smoothly as pppd - furthermore I also would prefer to use the kernel based firewall as this system will protect a fairly high profile company. Is there anything I have missed? I noticed in the man pages for natd they mentioned that it is not for dialup options. A bit about my network setup: My connection is also a bit strange - rather than a dialup the connection is a dedicated leased line connection between two analog modems - I'm down here in Belize and this is the best they could offer me. The modems are set to originate and answer respectively I simply need to send an ATZ command to our modem to reestablish the link. The IPs are also static. I have this working nicely with pppd - the chat script simply sends a reset to the modem and pppd is set to persist. I then have a crossover cable (as a perimeter network) to an internal server. That internal server will house the company's mailserver and webserver. I planned to have the FreeBSD box route packets from the outside to the web and mail server on the internal network and route all Internet based traffic from the internal network. It seemed to me like natd and ipfw were the ideal solution. Is there anything I am doing wrong? Something I have missed? Or somewhere you could point me? I'll appreciate any help you can offer. Sincerely Robert Buckland To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message