Date: Sat, 13 Jan 2001 05:26:45 -0800 (PST) From: opentrax@email.com To: questions@freebsd.org Cc: ipfw@freebsd.org, buckland@btl.net Subject: Fwd: dialup firewall with FreeBSD Message-ID: <200101131326.FAA16944@spammie.svbug.com>
next in thread | raw e-mail | index | archive | help
Your question forwarded to questions@freebsd.org and ipfw@freebsd.org
They can help you better than doc@freebsd.org
------ Forwarded message ------
From: "Robert M. Buckland" <buckland@btl.net>
Subject: dialup firewall with FreeBSD
Date: Wed, 10 Jan 2001 16:27:36 -0600
To: doc@FreeBSD.ORG
Hello,
I once asked for help in a dialup firewall solution that I
implemented for our network and I got help - I hope someone out there can
help again. I have gotten all the machines on our internal network to get
out but I need to route some traffic back in. I have been able to get the
internal network out on the net using pppd and natd and kernel mode ipfw is
enabled. However I have been having trouble with getting some traffic in.
Basically while the internal machines can get out with no problems I need
some traffic to come in. I need web requests that are sent to to port 80 of
the firewall machine be redirected to a webserver on the internal network.
I also need mail coming in for the network to be redirected to that same
server on the internal network.
Let me detail the current setup:
I have currently set the firewall type to "open" in rc.conf. I
figured that I should not try to use rules until I get the service properly
established between the internal and external networks. Hence I commented
out the firewall rules file and set it to open in rc.conf as follows:
>firewall_enable="YES"
>firewall_type="open"
>#firewall_type="/etc/firewall/fwrules"
I have tried to use natd with the -redirect_port option but I have
trouble with it. The system seems to work fine when I set the natd startup
to -dynamic but when I try to call the natd.conf file it doesn't work and I
not get out. hence I also have that commented out in rc.conf as follows:
>natd_enable="YES"
>natd_interface="ppp0"
>natd_flags="-dynamic"
>#natd_flags="-f /etc/natd.conf"
My natd.conf file that I was trying to call looks like this:
>interface ppp0
>use_sockets yes
>same_ports yes
>redirect_port tcp 89.0.0.14:80 80
>redirect_port udp 89.0.0.14:80 80
>redirect_port tcp 89.0.0.14:110 110
>redirect_port udp 89.0.0.14:110 110
89.0.0.14 is the server on the other end of the crossover cable (the DMZ)
that has web and mail services running. That machine is an NT fileserver
that has a webserver (IIS) and a mail server that supports POP, IMAP and
HTTP access. The mailserver's web component runs on 8383 but I am hoping
that I can do a redirect on that server from port 80. If not I will need to
also explicitly place the redirect on the FreeBSD box.
Also, I have not started using my firewall rules. Should I use this instead
of natd and redirects? Which is the best way to do this? I do have a
firewall rules file set up as below:
>#Define the firewall command for easy reference
>fwcmd="/sbin/ipfw"
>
>#Flush the rules before reloading
>$fwcmd -f flush
>
>#Divert all packets through the tunnel interface
>$fwcmd add divert natd all from any to any via ppp0
>
>#Allow all data from nic and localhost
>$fwcmd add allow ip from any to any via lo0
>$fwcmd add allow ip from any to any via de0
>
>#Allow all connections initiated from Sentinel
>$fwcmd add allow tcp from any to any out xmit ppp0 setup
>
>#Allow established connections to stay open
>$fwcmd add allow tcp from any to any via ppp0 established
>
>#Allow Internet connections to specific services
>$fwcmd add allow tcp from any to any 80 setup
>$fwcmd add allow tcp from any to any 21 setup
>$fwcmd add allow tcp from any to any 22 setup
>$fwcmd add allow tcp from any to any 23 setup
>
>#Reset all ident packets
>$fwcmd add reset log tcp from any to any 113 in recv ppp0
>
>#Allow outgoing DNS queries to specific DNS servers
>$fwcmd add allow udp from any to x.x.x.x 53 out xmit ppp0
>$fwcmd add allow udp from any to x.x.x.x 53 out xmit ppp0
>$fwcmd add allow upp from any to 89.0.0.14 out xmit de0
>
>#Allow ICMP (for ping and traceroute to work for testing)
>#Remember to disallow this when no longer needed
>$fwcmd add 65435 allow icmp from any to any
>
>#Deny all the rest
>$fwcmd add 65435 deny log ip from any to any
This firewall rules set is based on the one I got from your tutorial but it
doesn't seem to work when I call it.
This is the result when I type "ifconfig -a"
>de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 89.0.0.10 netmask 0xfffffff0 broadcast 89.0.0.15
> inet6 fe80::200:c0ff:fe70:dbe6%de0 prefixlen 64 scopeid 0x1
> ether 00:00:c0:70:db:e6
> media: autoselect (10baseT/UTP) status: active
> supported media: autoselect 10base5/AUI 10base2/BNC 10baseT/UTP
> <full-duplex> 10baseT/UTP
>lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
>sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
>ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
> inet x.x.x.101 --> x.x.x.98 netmask 0xffffff00
>lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
> inet6 ::1 prefixlen 128
> inet 127.0.0.1 netmask 0xff000000
>gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
>gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
>gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
>gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
>faith0: flags=8000<MULTICAST> mtu 1500
Note that I have replaced the public IP with "x" for security reasons since
I am sending this via plain text. I am willing to trust someone with more
details such as actual IPs but I would send that information via PGP.
Also note that I am using 89.0.0.0/16 as a Private Block. I always thought
that Internic had also assigned 89.* as a class A private IP block. It was
pointed out to me that this is incorrect so I will change the crossover
link to 172. However I don't think that has anything to do with my current
dilemma.
I do hope someone can help since I convinced my manager that the FreeBSD
solution I implemented is a good solution and more robust that plugging in
his NT servers directly. I need to have him see his website and get mail in
and he'll be happy. Mail can be sent out from the domain but of course it
can't be received as yet.
Robert Buckland
--------------------------------------------------------------------------
ORIGINAL MESSAGE
--------------------------------------------------------------------------
I'm hoping someone out there can help...
I've set up a FreeBSD 4.1 machine to act as a firewall routing packets
between my internal and external network. I followed your dialup firewall
tutorial and recompiled my kernel as you suggested, adding the IPFILTER and
IPDIVERT options. I then added the firewall and natd options to my rc.conf
file. Upon boot the ipfirewall options and divert are enabled however natd
reports that it cannot find the tun0 interface - that it is not a valid
interface. I do have the -dynamic tag but pppd does not start until much
later - I have it in rc.d as "000pppd.sh" but even though it is the first
to start there this still occurs after natd has initialized. I have tried
userppp which I can get to use nat but I can't get it to autostart as
smoothly as pppd - furthermore I also would prefer to use the kernel based
firewall as this system will protect a fairly high profile company. Is
there anything I have missed? I noticed in the man pages for natd they
mentioned that it is not for dialup options.
A bit about my network setup: My connection is also a bit strange - rather
than a dialup the connection is a dedicated leased line connection between
two analog modems - I'm down here in Belize and this is the best they could
offer me. The modems are set to originate and answer respectively I simply
need to send an ATZ command to our modem to reestablish the link. The IPs
are also static. I have this working nicely with pppd - the chat script
simply sends a reset to the modem and pppd is set to persist. I then have a
crossover cable (as a perimeter network) to an internal server. That
internal server will house the company's mailserver and webserver. I
planned to have the FreeBSD box route packets from the outside to the web
and mail server on the internal network and route all Internet based
traffic from the internal network. It seemed to me like natd and ipfw were
the ideal solution. Is there anything I am doing wrong? Something I have
missed? Or somewhere you could point me? I'll appreciate any help you can
offer.
Sincerely
Robert Buckland
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101131326.FAA16944>