Date: Fri, 26 Apr 2002 12:09:08 -0400 From: "Carolyn Longfoot" <c_longfoot@hotmail.com> To: barbish@a1poweruser.com Cc: freebsd-questions@freebsd.org Subject: RE: rc.firewall problems Message-ID: <F17Ff82rPe4n4WZiW7M000009a8@hotmail.com>
next in thread | raw e-mail | index | archive | help
Hey, thanks, great write-up! I guess rc.firewall needs to be overhauled. In the meantime I found a devious error I made: the subnet is determined by the netmask and I had it wrong. The problem why the other boxes could not get out is probably simliar to the arcticle from Joe because as soon as I inserted a rule to allow UDP from any 53 to any (AFTER the nat translation) everything was fine and other clients could get out. Thanks much, Caro >From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> >To: "Carolyn Longfoot" <c_longfoot@hotmail.com> >Subject: RE: rc.firewall problems >Date: Fri, 26 Apr 2002 11:13:00 -0400 > >Read this http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO > >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Carolyn Longfoot >Sent: Thursday, April 25, 2002 2:32 PM >To: freebsd-questions@freebsd.org >Subject: rc.firewall problems > >I have the following setup and I cannot figure out why only the firewall >server itself, but nobody else on the network can get out. I compared the >entries with all documentation I could get my hands on (Complete FreeBSD, >Handbook...) but found no real differences. > >If anybody could point me to what I'm missing I'd appreciate it. I am >running NAT and to get anything to work I added the rows marked with === >(not marked in the actual file of course). That feels pretty wrong and I'm >especially puzzled why BOTH are needed, i can see that 'sh rc.firewall' >executed the nat rule further down so why would the first one make a >difference? > >Cheers, > >Caro > > # set these to your outside interface network and netmask and ip > oif="rl0" > onet="1.1.1.0" > omask="255.255.255.252" > oip="1.1.1.1" > > # set these to your inside interface network and netmask and ip > iif="rl1" > inet="10.0.0.0" > imask="255.255.255.0" > iip="10.0.0.1" > >=== ${fwcmd} add divert natd all from any to any via ${oif} >=== ${fwcmd} add pass all from any to any > > # Stop spoofing > ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} > ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} > ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes >RESERVED-1, > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and >class >E) > # on the outside interface > ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} > ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} > ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} > ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} > ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} > > # Network Address Translation. This rule is placed here >deliberately > # so that it does not interfere with the surrounding >address-checking > # rules. If for example one of your internal LAN machines had its >IP > # address set to 192.0.2.1 then an incoming packet for it after >being > # translated by natd(8) would match the `deny' rule above. >Similarly > # an outgoing packet originated from it before being translated >would > # match the `deny' rule below. > case ${natd_enable} in > [Yy][Ee][Ss]) > if [ -n "${natd_interface}" ]; then > ${fwcmd} add divert natd all from any to any via >${natd_interface} > fi > ;; > esac > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} > ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} > ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes >RESERVED-1, > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and >class >E) > # on the outside interface > ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} > ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} > ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} > ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} > ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} > > ${fwcmd} add pass all from any to any via ${iif} > ${fwcmd} add pass all from ${onet}:${omask} to any out via ${oif} > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag > > # Allow setup of incoming email > ${fwcmd} add pass tcp from any to ${oip} 25 setup > > # Allow access to our DNS > ${fwcmd} add pass tcp from any to ${oip} 53 setup > ${fwcmd} add pass udp from any to ${oip} 53 > ${fwcmd} add pass udp from ${oip} 53 to any > > # Allow access to our WWW > ${fwcmd} add pass tcp from any to ${oip} 80 setup > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup > > # Allow DNS queries out in the world > ${fwcmd} add pass udp from any 53 to ${oip} > ${fwcmd} add pass udp from ${oip} to any 53 > > # Allow NTP queries out in the world > ${fwcmd} add pass udp from any 123 to ${oip} > ${fwcmd} add pass udp from ${oip} to any 123 > > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. > ;; > > >_________________________________________________________________ >Send and receive Hotmail on your mobile device: http://mobile.msn.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F17Ff82rPe4n4WZiW7M000009a8>