Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Jul 2002 18:41:40 -0500
From:      "David Merriman" <merriman@1s.net>
To:        <freebsd-questions@freebsd.org>
Subject:   ppp Firewall - can't telnet/ftp from intranet
Message-ID:  <000001c22eb4$bfbc39d0$01000001@alpha>

Next in thread | Raw E-Mail | Index | Archive | Help
/etc/host.conf: 
hosts
bind


/etc/hosts: 
127.0.0.1   localhost.home   localhost
192.168.144.254    <mydomain>    daemon


/etc/resolv.conf: 
domain      home
nameserver  206.104.144.4
nameserver  206.104.144.3


Edit /etc/ppp/ppp.conf: 
# PPP Configuration

default:
 set log Phase Chat LCP IPCP CCP tun command
 set device /dev/cuaa1
 set speed 115200
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT
  OK-AT-OK ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT" (All one line)
 set redial 3 10
 disable pred1
 deny pred1
 disable lqr
 deny lqr
 set authname xxxxxxxx
 set authkey xxxxxxxx
 set phone xxx-xxxx
 set timeout 600

# OneSource
 set openmode active
 accept chap
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.0.0.0 0.0.0.0
 add default HISADDR 

/etc/ppp/ppp.linkup: 
# Dial-on-demand:
demand:
 delete ALL
 add 0 0 HISADDR

# All other configurations use this:
OneSource:
 add 0 0 HISADDR

Edit /etc/ppp/ppp.linkdown: 
# Dial-on-demand:
OneSource:
 iface clear

appropriate part of /etc/rc.conf: 
### Basic network options: ###
    firewall_enable="YES"
    firewall_script="/etc/firewall/fwrules"
    natd_enable="YES"
    natd_interface="tun0"
    natd_flags="-dynamic"
    ppp_enable="YES"
    ppp_mode="auto"
    ppp_nat="YES"
    ppp_profile="fwrules"
    
fwrules:
    # Firewall rules
    # Written by Marc Silver (marcs@draenor.org)
    # http://draenor.org/ipfw
    # Freely distributable
    
    
    # Define the firewall command (as in /etc/rc.firewall) for easy
    # reference.  Helps to make it easier to read.
    fwcmd="/sbin/ipfw"
    
    # Force a flushing of the current rules before we reload.
    $fwcmd -f flush
    
    # Divert all packets through the tunnel interface.
    $fwcmd add divert natd all from any to any via tun0
    
    # Allow all data from my network card and localhost.  Make sure you
    # change your network card (mine was fxp0) before you reboot.  :)
    $fwcmd add allow ip from any to any via tun0
    $fwcmd add allow ip from any to any via dc0
    
    # Allow all connections that I initiate.
    $fwcmd add allow tcp from any to any out xmit tun0 setup
    
    # Once connections are made, allow them to stay open.
    $fwcmd add allow tcp from any to any via tun0 established
    
    # Everyone on the internet is allowed to connect to the following
    # services on the machine.  This example specifically allows
connections
    # to ssh and apache.
    $fwcmd add allow tcp from any to any 80 setup
    $fwcmd add allow tcp from any to any 22 setup
    
    # This sends a RESET to all ident packets.
    $fwcmd add reset log tcp from any to any 113 in recv tun0
    
    # Allow outgoing DNS queries ONLY to the specified servers.
    $fwcmd add allow udp from any to 206.104.144.4 53 out xmit tun0
    $fwcmd add allow udp from any to 206.104.144.3 53 out xmit tun0
    
    # Allow them back in with the answers...  :)
    $fwcmd add allow udp from 206.104.144.4 53 to any in recv tun0
    $fwcmd add allow udp from 206.104.144.3 53 to any in recv tun0
    
    # Allow ICMP (for ping and traceroute to work).  You may wish to
    # disallow this, but I feel it suits my needs to keep them in.
    $fwcmd add allow icmp from any to any
    
    # Deny all the rest.
    $fwcmd add deny log ip from any to any

I've also compiled the following into the kernel
options IPFIREWALL 
options IPFIREWALL_VERBOSE 
options IPFIREWALL_VERBOSE_LIMIT=100 

My system is dialing out on demand, I can FTP and all that from my BSD
box (daemon). Since getting ppp working with the above, I've lost the
ability to telnet or ftp into the BSD box from my intranet.

Dave Merriman

****************************************

To eliminate the risk of malicious scripts
or code, *all* HTML email is automatically
_deleted_ UNREAD on receipt.

****************************************


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000001c22eb4$bfbc39d0$01000001>