From owner-freebsd-ipfw Mon Mar 24 11: 1:40 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 016B437B401 for ; Mon, 24 Mar 2003 11:01:39 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74FA643FB1 for ; Mon, 24 Mar 2003 11:01:38 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h2OJ1cNS070530 for ; Mon, 24 Mar 2003 11:01:38 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h2OJ1bQ2070519 for ipfw@freebsd.org; Mon, 24 Mar 2003 11:01:37 -0800 (PST) Date: Mon, 24 Mar 2003 11:01:37 -0800 (PST) Message-Id: <200303241901.h2OJ1bQ2070519@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-Spam-Status: No, hits=0.3 required=5.0 tests=ADDR_FREE,AWL,X_AUTH_WARNING version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8) 3 problems total. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 25 1:21: 8 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F45A37B404; Tue, 25 Mar 2003 01:21:02 -0800 (PST) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1AF043FAF; Tue, 25 Mar 2003 01:20:34 -0800 (PST) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) by whale.sunbay.crimea.ua (8.12.8/8.12.8/Sunbay) with ESMTP id h2P9K80J076719 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Mar 2003 11:20:08 +0200 (EET) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.8/8.12.8/Submit) id h2P9K8Oa076714; Tue, 25 Mar 2003 11:20:08 +0200 (EET) (envelope-from ru) Date: Tue, 25 Mar 2003 11:20:08 +0200 From: Ruslan Ermilov To: Scot Cc: FreeBSD Stable , ipfw@FreeBSD.ORG Subject: Re: Natd stops working on Firewall Message-ID: <20030325092007.GB73657@sunbay.com> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-21.6 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --61jdw2sOBCFtR2d/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 24, 2003 at 09:52:32PM -0500, Scot wrote: > Hi;=20 >=20 > Just setup my FreeBSD 4.7 Firewall using the docs=20 > outlined in the handbook. >=20 What docs you have used to set up the firewall? > The install went on and=20 > everything seems to be working fine then boom.=20 > The system seems to stop routing traffic. No=20 > messages in the security log or natd log as to why.=20 >=20 > I made sure it was logging by nmaping my box from the=20 > outside. I even ran natd in the foreground and it still didn't=20 > tell me what was going on.=20 >=20 > There is nothing in any logfile that tells me why this thing=20 > just stops working so I'm thinking it may not be a daemon but > something in the kernel.=20 >=20 > I cannot ping the interface from the internal network but tcpdump shows= =20 > the packets being received. (Hub network firewall_type=3DSIMPLE ). > =20 > If I logon to the console the cable modem connection is still functioning= =20 > and I can surf from the firewall.=20 >=20 > Any ideas on where to look next ??=20 >=20 >=20 > Cable modem using dhcp -> 192.168 home network on=20 > PPro w/280 MB ram.=20 > Intel Pro 10/100b/100+ Ethernet This card is a PCI card with 2 interfaces= =2E=20 > Standard Xuser install + Kernel sources.=20 >=20 I've been through this just recently. Our "simple" prototype is not production ready; if you just tune oip/iip/onet/inet, etc., it won't allow your internal machines to talk outside. The packet flow for a machine in ${inet}:${imask} talking outside is as follows: ${inet}:${imask} -> some_host (in via ${iif}) ${oip} -> some_host (out via ${oif}) (after NAT) some_host -> ${inet}:${imask} (in via ${oif}) (after de-NAT) some_host -> ${inet}:${imask} (out via ${iif}) (This assumes that you NAT using ${oip}, which is not always the case.) So, to make it work (if default is to "deny"), you need to add the following rules at the end of the ruleset: ${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif} ${fwcmd} add pass ip from ${oip} to any out via ${oif} ${fwcmd} add pass ip from any to ${inet}:${imask} Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --61jdw2sOBCFtR2d/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+gB9HUkv4P6juNwoRAuVEAJwKQNXKyOo20kdomzarFxtB+NNmewCaA54Z IDr48LIXgSaWSlZmbjNe19Q= =MWIC -----END PGP SIGNATURE----- --61jdw2sOBCFtR2d/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 25 22:58:39 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D777737B412; Tue, 25 Mar 2003 22:58:38 -0800 (PST) Received: from umh001.norfolk.va.infi.net (umr001.norfolk.va.infi.net [209.97.16.105]) by mx1.FreeBSD.org (Postfix) with SMTP id CA3034413E; Tue, 25 Mar 2003 22:42:12 -0800 (PST) (envelope-from scotrn@cox.net) Received: through eSafe SMTP Relay 1045752069; Wed Mar 26 01:32:39 2003 Received: from inf032 (ip68-0-39-132.hr.hr.cox.net [68.0.39.132]) h2Q6aWFo015624; Wed, 26 Mar 2003 01:36:33 -0500 (EST) From: "Scot" To: "Ruslan Ermilov" , "Scot" Date: Wed, 26 Mar 2003 01:29:34 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-reply-to: <20030325092007.GB73657@sunbay.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal X-Spam-Status: No, hits=-28.0 required=5.0 tests=EMAIL_ATTRIBUTION,HOT_NASTY,IN_REP_TO,MSGID_GOOD_EXCHANGE, ORIGINAL_MESSAGE,QUOTED_EMAIL_TEXT,REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: FreeBSD Stable cc: ipfw@FreeBSD.ORG Subject: SUMMARY: Natd stops working on Firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 06:58:53 -0000 X-List-Received-Date: Wed, 26 Mar 2003 06:58:53 -0000 Thanks to all who posted. Thanks Ruslan for the answer ! Simpel fix as Ruslan Explained. just add ... ${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif} ${fwcmd} add pass ip from ${oip} to any out via ${oif} ${fwcmd} add pass ip from any to ${inet}:${imask} at the end of the SIMPLE section of rc.firewall. I added them just before # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; [Cc][Ll][Oo][Ss][Ee][Dd]) Yes I know, Now that I know it works I need to make it more resticted. The details of what started this thread. Following the FreeBSD Online handbook at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html I setup my firewall (initially) using the following rc.conf subsettings ifconfig_fxp0="DHCP" gateway_enable="YES" firewall_enable="YES" firewall_type="SIMPLE" natd_enable="YES" natd_interface="fxp0" natd_flags="" Added my DHCP ip and Local network to rc.firewall SIMPLE section and wala. It worked. But only for a little while. No logs or anything as to why... Hence the post and kind response below. Also: I added 15 lines of code to rc.firewall to dynamicly handle a DHCP address if you intrested here it is. I know my coding sucks but it works. -------------------------------------------------------------------------- # set these to your outside interface network and netmask and ip oif="fxp0" eval CHDHCP=\${ifconfig_$oif} if [ ${CHDHCP} = "DHCP" -a -r /var/db/dhclient.leases ];then lease="/var/db/dhclient.leases" oip=`grep fixed-address ${lease}|cut -d\; -f1|awk '{print $2}'|tail -1` omask=`grep subnet-mask ${lease}|cut -d\; -f1|awk '{print $3}'|tail -1` shortonet=`echo "$oip"|cut -d. -f1,2,3` onet="$shortonet.0" echo "DHCP onet = $onet" echo "DHCP omask = $omask" echo "DHCP oip = $oip" sleep 4 else # Add static address here onet="xxx.xxx.xxx.0" omask="255.255.255.0" oip="xxx.xxx.xxx.xxx" fi -----Original Message----- From: owner-freebsd-stable@FreeBSD.ORG [mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of Ruslan Ermilov Sent: Tuesday, March 25, 2003 4:20 AM To: Scot Cc: FreeBSD Stable; ipfw@FreeBSD.ORG Subject: Re: Natd stops working on Firewall On Mon, Mar 24, 2003 at 09:52:32PM -0500, Scot wrote: > Hi; > > Just setup my FreeBSD 4.7 Firewall using the docs > outlined in the handbook. > What docs you have used to set up the firewall? > The install went on and > everything seems to be working fine then boom. > The system seems to stop routing traffic. No > messages in the security log or natd log as to why. > > I made sure it was logging by nmaping my box from the > outside. I even ran natd in the foreground and it still didn't > tell me what was going on. > > There is nothing in any logfile that tells me why this thing > just stops working so I'm thinking it may not be a daemon but > something in the kernel. > > I cannot ping the interface from the internal network but tcpdump shows > the packets being received. (Hub network firewall_type=SIMPLE ). > > If I logon to the console the cable modem connection is still functioning > and I can surf from the firewall. > > Any ideas on where to look next ?? > > > Cable modem using dhcp -> 192.168 home network on > PPro w/280 MB ram. > Intel Pro 10/100b/100+ Ethernet This card is a PCI card with 2 interfaces. > Standard Xuser install + Kernel sources. > I've been through this just recently. Our "simple" prototype is not production ready; if you just tune oip/iip/onet/inet, etc., it won't allow your internal machines to talk outside. The packet flow for a machine in ${inet}:${imask} talking outside is as follows: ${inet}:${imask} -> some_host (in via ${iif}) ${oip} -> some_host (out via ${oif}) (after NAT) some_host -> ${inet}:${imask} (in via ${oif}) (after de-NAT) some_host -> ${inet}:${imask} (out via ${iif}) (This assumes that you NAT using ${oip}, which is not always the case.) So, to make it work (if default is to "deny"), you need to add the following rules at the end of the ruleset: ${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif} ${fwcmd} add pass ip from ${oip} to any out via ${oif} ${fwcmd} add pass ip from any to ${inet}:${imask} Cheers, -- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 28 17:45:13 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 933CC37B401 for ; Fri, 28 Mar 2003 17:45:09 -0800 (PST) Received: from jumpgate.cpn.homeip.net (CPE-144-137-16-170.vic.bigpond.net.au [144.137.16.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id B553543FBD for ; Fri, 28 Mar 2003 17:45:07 -0800 (PST) (envelope-from Carey.Nairn@dpac.tas.gov.au) Received: from arcturus.dpac.tas.gov.au (arcturus.cpn.homeip.net [172.16.1.5]) h2T1j36R023957 for ; Sat, 29 Mar 2003 12:45:04 +1100 (EST) (envelope-from Carey.Nairn@dpac.tas.gov.au) Message-Id: <5.1.0.14.0.20030329123307.040e9880@mail.cpn.homeip.net> X-Sender: cpn@mail.cpn.homeip.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 29 Mar 2003 12:43:52 +1100 To: freebsd-ipfw@freebsd.org From: Carey Nairn Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: IPFW and ntpd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2003 01:45:15 -0000 I am having a problem with getting ntpd to work with ipfw. Using my simple firewall setup (based on the default /etc/rc.firewall), I get the following error when I start ntpd: ntpd_initres[23825]: send to NTP server failed: Permission denied If I set my firewall to OPEN, ntpd works just fine. My firewall configuration is executed whenever my PPP (ADSL) connection is established and is as follows: #!/bin/sh fwcmd="/sbin/ipfw" ${fwcmd} -f flush oif="tun0" oip=`/sbin/ifconfig tun0 | grep -v grep | grep "inet " | awk '{ print $2 }'` onet=$oip omask="255.0.0.0" iif="fxp0" inet="172.16.1.0" imask="255.255.255.0" iip="172.16.1.4" ${fwcmd} add pass all from ${iip} to ${inet}:${imask} ${fwcmd} add pass all from ${inet}:${imask} to ${iip} # Deny incoming ICMP requests ${fwcmd} add deny log icmp from any to any in via ${oif} icmptypes 8 # Allow outgoing ICMP requests ${fwcmd} add pass icmp from any to any out via ${oif} icmptypes 8 ${fwcmd} add pass icmp from any to any in via ${oif} icmptypes 0 # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow access to ssh ${fwcmd} add pass tcp from any to ${oip} 22 setup ${fwcmd} add pass tcp from any to ${oip} 22 # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Allow access to our WWW ${fwcmd} add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${oip} ${fwcmd} add pass udp from ${oip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from ${oip} to any 123 keep-state any thoughts on why the ntp rule fails? thanks Carey Nairn