Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Oct 2001 14:15:27 -0400
From:      Louis LeBlanc <leblanc+freebsd@smtp.ne.mediaone.net>
To:        freebsd-questions@FreeBSD.org, freebsd-questions@FreeBSD.org
Subject:   Re: IPFW, natd, and one big headache
Message-ID:  <20011011141527.E3862@acadia.ne.mediaone.net>
In-Reply-To: <20011010212942.A1037@acadia.ne.mediaone.net>
References:  <20011010212942.A1037@acadia.ne.mediaone.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Well, I don't know what the hangups really were, but I finally got a
reasonable firewall working without killing my connectivity.  Also got
natd working (sort of) after reading the manpage several times and
checking up each flag I was sending it from rc.conf.

Here is what I came up with

In rc.conf I included the following:
natd_program="/sbin/natd"
natd_interface="xl0"
natd_enable=YES
natd_flags="-u -s -same_ports -dynamic -n xl0 -log_facility security"
firewall_enable=YES
firewall_script=/etc/rc.firewall

I noticed the -dynamic flag and realized that natd would obviously
need to know if the IP were to change, so I added that.

my rc.firewall (adapted from Dan O'Connor's version at
http://www.mostgraveconcern.org/freebsd/ipfw.html -THANKS!) looks like
this:

######################################################################
# rc.firewall - Firewall Rules
#
# Maintained by:  D. O'Connor
# Modified:       7/18/2000.
#

# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
        . /etc/defaults/rc.conf
        source_rc_confs
elif [ -r /etc/rc.conf ]; then
        . /etc/rc.conf
fi

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi

# Firewall program
fwcmd="/sbin/ipfw"

# Outside interface network and netmask and ip
oif="xl0"
onet=`/sbin/ifconfig xl0 | grep netmask | awk '{print $6}'`
omask=`/sbin/ifconfig xl0 | grep netmask | awk '{print $4}'`
oip=`/sbin/ifconfig xl0 | grep netmask | awk '{print $4}'`

# Inside interface network and netmask and ip
iif="fxp0"
inet="10.8.20.0"
imask="255.255.255.0"
iip="10.8.20.5"

# My ISP's DNS servers
dns1=`head -2 /etc/resolv.conf | tail -1 | awk '{print $2}'`
dns2=`tail -2 /etc/resolv.conf | head -1 | awk '{print $2}'`
dns3=`tail -1 /etc/resolv.conf | awk '{print $2}'`

# Flush previous rules
${fwcmd} -f flush

# Allow loopbacks, deny imposters
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

# NATD
${fwcmd} add divert natd all from any to any via ${natd_interface}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

# Allow established connections with minimal overhead
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

### TCP RULES
# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 setup
${fwcmd} add pass tcp from any to any 443 setup

# SMTP - Allow access to sendmail for incoming e-mail
${fwcmd} add pass tcp from any to any 25 setup

# FTP - Allow incoming data channel for outgoing connections,
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
# FTP - Allow incoming connections,
${fwcmd} add pass tcp from any 1024-65535 to ${oip} 21 via ${oif} in
${fwcmd} add pass tcp from ${oip} 20 to any 1024-65535 via ${oif} out

# SSH Login - Allow & Log all incoming
${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup

# IDENT - Reset incoming connections
${fwcmd} add reset tcp from any to any 113 in via ${oif} setup

# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup

### UDP RULES
# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53
${fwcmd} add pass udp from any to ${dns2} 53
${fwcmd} add pass udp from any to ${dns3} 53
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any
${fwcmd} add pass udp from ${dns3} 53 to any

# SMB - Allow local traffic
${fwcmd} add pass udp from any to any 137-139 via ${iif}

# SYSLOG - Allow machines on inside net to log to us.
${fwcmd} add pass log udp from any to any 514 via ${iif}

# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${oif}
${fwcmd} add pass udp from any 123 to any via ${iif}
${fwcmd} add pass udp from any to any 123 via ${iif}

# TRACEROUTE - Allow outgoing
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}

### ICMP RULES
# ICMP packets
# Allow all ICMP packets on internal interface
${fwcmd} add pass icmp from any to any via ${iif}

# Allow outgoing pings
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}

# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}

# Deny the rest of them
${fwcmd} add deny icmp from any to any

### MISCELLANEOUS REJECT RULES
# Reject broadcasts from outside interface
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via
${oif}

# Reject&Log SMB connections on outside interface
${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}

# Reject&Log all other connections from outside interface
${fwcmd} add 65000 deny log ip from any to any via ${oif}
######################################################################


Sorry for the long output.  I will be tweaking and focusing this
script over the course of a couple weeks, opening, closing, and
tightening things as needed.  I will try to get a postmortem up on my
website within the month to -hopefully, help someone else get over the
rare hangup that can be missed in studying existing resources.

My natd hangups are kind of wierd.  my internal machines can now see
out to the internet, but access to services on the gateway (running
natd, Apache, IMAP, etc) is REAL slow.  I don't understand that, but
I'll read a few more things that may help with that.

Thanks VERY MUCH to Christ Clark, David Kelly, and Roger Merritt.
Your pointers and ideas really were of great help.  Also thanks to Dan
O'Connor, in case you're about, for the cheat sheets at
mostgraveconcern.

I'll post the URL for the postmortem when I have it completed.

Cheers
Lou
-- 
Louis LeBlanc       leblanc@acadia.ne.mediaone.net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net                 ԿԬ

Armstrong's Collection Law:
  If the check is truly in the mail,
  it is surely made out to someone else.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011011141527.E3862>