From owner-freebsd-questions Thu Jul 18 16:42:30 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECF7A37B400 for ; Thu, 18 Jul 2002 16:42:23 -0700 (PDT) Received: from mail.1s.net (mail.1s.net [206.104.144.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B24B43E5E for ; Thu, 18 Jul 2002 16:42:23 -0700 (PDT) (envelope-from merriman@1s.net) Received: from alpha (channel48.1s.net [206.104.144.102]) by mail.1s.net (8.11.1/8.11.1) with ESMTP id g6INob424943 for ; Thu, 18 Jul 2002 18:50:37 -0500 From: "David Merriman" To: Subject: ppp Firewall - can't telnet/ftp from intranet Date: Thu, 18 Jul 2002 18:41:40 -0500 Message-ID: <000001c22eb4$bfbc39d0$01000001@alpha> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG /etc/host.conf: hosts bind /etc/hosts: 127.0.0.1 localhost.home localhost 192.168.144.254 daemon /etc/resolv.conf: domain home nameserver 206.104.144.4 nameserver 206.104.144.3 Edit /etc/ppp/ppp.conf: # PPP Configuration default: set log Phase Chat LCP IPCP CCP tun command set device /dev/cuaa1 set speed 115200 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT" (All one line) set redial 3 10 disable pred1 deny pred1 disable lqr deny lqr set authname xxxxxxxx set authkey xxxxxxxx set phone xxx-xxxx set timeout 600 # OneSource set openmode active accept chap set ifaddr 10.0.0.1/0 10.0.0.2/0 255.0.0.0 0.0.0.0 add default HISADDR /etc/ppp/ppp.linkup: # Dial-on-demand: demand: delete ALL add 0 0 HISADDR # All other configurations use this: OneSource: add 0 0 HISADDR Edit /etc/ppp/ppp.linkdown: # Dial-on-demand: OneSource: iface clear appropriate part of /etc/rc.conf: ### Basic network options: ### firewall_enable="YES" firewall_script="/etc/firewall/fwrules" natd_enable="YES" natd_interface="tun0" natd_flags="-dynamic" ppp_enable="YES" ppp_mode="auto" ppp_nat="YES" ppp_profile="fwrules" fwrules: # Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via tun0 $fwcmd add allow ip from any to any via dc0 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via tun0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example specifically allows connections # to ssh and apache. $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow tcp from any to any 22 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv tun0 # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 206.104.144.4 53 out xmit tun0 $fwcmd add allow udp from any to 206.104.144.3 53 out xmit tun0 # Allow them back in with the answers... :) $fwcmd add allow udp from 206.104.144.4 53 to any in recv tun0 $fwcmd add allow udp from 206.104.144.3 53 to any in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add allow icmp from any to any # Deny all the rest. $fwcmd add deny log ip from any to any I've also compiled the following into the kernel options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 My system is dialing out on demand, I can FTP and all that from my BSD box (daemon). Since getting ppp working with the above, I've lost the ability to telnet or ftp into the BSD box from my intranet. Dave Merriman **************************************** To eliminate the risk of malicious scripts or code, *all* HTML email is automatically _deleted_ UNREAD on receipt. **************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message