Date: Sat, 5 Aug 2000 01:11:30 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Ruslan Ermilov <ru@sunbay.com> Cc: rshea@opendoor.co.nz, freebsd-questions@FreeBSD.ORG Subject: Re: NATD/"spoofing" and IPFW Message-ID: <20000805011130.H66052@184.215.6.64.reflexcom.com> In-Reply-To: <20000804171753.A522@sunbay.com>; from ru@sunbay.com on Fri, Aug 04, 2000 at 05:17:53PM %2B0300 References: <200008040857.e748va105786@deborah.paradise.net.nz> <20000804171753.A522@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 04, 2000 at 05:17:53PM +0300, Ruslan Ermilov wrote: > On Fri, Aug 04, 2000 at 08:47:34PM +1200, rshea@opendoor.co.nz wrote: > > Hi - I'm new to FreeBSD and trying to make my FreeBSD machine > > act as a gateway/firewall to the office LAN. The connection to the > > i'net is via a cable modem with a fixed IP address. I am using > > IPFW as the firewall and in rc.conf I have set firewall_type to > > "simple". The machines on the LAN use addresses in the range > > 192.168.10.xx. > > > > I 'borrowed' my firewall rules (I've tagged them onto the bottom of > > this email) from the very helpful site ... > > > > http://www.mostgraveconcern.com/freebsd/ > > > > ... but I find that machines within the LAN (W9x machines FWIW) > > cannot 'get out' if I retain the rules > > > > ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} > > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > > For a detailed description of your problem, please see > http://www.freebsd.org/cgi/query-pr.cgi?pr=13769 > > For a fix, please see > http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall.diff?r1=1.35&r2=1.36 I've long thought that this was not the best approach for the rules that deny packets coming in to RFC1918 and other non-registered addresses anyway. One should set up rule to default to deny, rather than picking any chosing what to deny and let the rest fall through. Here's what I am doing now. Did I miss anything? I don't block incoming packets from 'bad' addresses, they shouldn't be able to get by any other rules with the exception of incoming SSH. ############ # Setup system for firewall service. # # 2000/01/03, cjc- Customized for cc942873-a. # # 2000/02/01, cjc- Modified for machine to do NAT. This is a gateway. # # 2000/07/29, cjc- Major changes for DHCP. # # 2000/08/03, cjc- Reworked rules to do default deny up front and # moved to using 'keep-state' # Suck in the configuration variables. if [ -f /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf elif [ -f /etc/rc.conf ]; then . /etc/rc.conf fi if [ "x$1" != "x" ]; then firewall_type=$1 fi ############ # Info about local net numbers dhcpc_range="64.6.192.0/19" dhcps_range="${dhcpc_range}" net="192.168.128.0/24" iip="192.168.128.254" ibc="192.168.128.255" iif="de0" oip=`/sbin/ifconfig ${natd_interface} | /usr/bin/awk '/inet / { print $2 }'` oif=${natd_interface} obc=`/sbin/ifconfig ${natd_interface} | /usr/bin/awk '/inet / { print $6 }'` ############ # Set quiet mode if requested if [ "x$firewall_quiet" = "xYES" ]; then fwcmd="/sbin/ipfw -q" else fwcmd="/sbin/ipfw" fi ############ # Flush out the list before we begin. $fwcmd -f flush ############ # Only in rare cases do you want to change these rules $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 200 deny log all from any to 127.0.0.0/8 ############ # Stop spoofing $fwcmd add deny log ip from ${oip} to not ${obc} recv ${oif} $fwcmd add deny log ip from ${iip} to not ${ibc} recv ${iif} ############ # Let DHCP work $fwcmd add pass udp from ${dhcpc_range} 68 to ${dhcps_range} 67 out via ${oif} $fwcmd add pass udp from ${dhcps_range} 67 to ${dhcpc_range} 68 in via ${oif} $fwcmd add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out via ${oif} $fwcmd add pass udp from ${dhcps_range} 67 to 255.255.255.255 68 in via ${oif} ############ # Jump ahead with stuff destined for this machine $fwcmd add skipto 10000 ip from any to ${oip} in via ${oif} $fwcmd add skipto 10000 ip from any to ${obc} in via ${oif} ############ # Block anything not meant for this machine $fwcmd add deny ip from any to any in via fxp0 ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then $fwcmd 10000 add divert natd all from any to any via ${natd_interface} fi # Prototype setups. # Just keeping the 'open' for testing purposes if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then $fwcmd add 65000 pass all from any to any else $fwcmd add check-state $fwcmd add pass ip from ${oip} to any out via ${oif} keep-state $fwcmd add pass ip from ${net} to any in via ${iif} keep-state $fwcmd add pass ip from ${iip} to ${net} out via ${iif} $fwcmd add pass tcp from any to ${oip} 22 in via ${oif} keep-state ############ # Drop NetBIOS noise $fwcmd add deny udp from any 137-138 to ${obc} 137-138 in via ${oif} $fwcmd add deny log tcp from any to any in via ${oif} setup $fwcmd add deny log udp from any to any in via ${oif} $fwcmd add deny log ip from any to any via ${iif} # $fwcmd add deny log ip from any to any fi #End -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000805011130.H66052>