From owner-freebsd-questions Fri May 3 14:49:13 2002 Delivered-To: freebsd-questions@freebsd.org Received: from monsoon.mail.pipex.net (monsoon.mail.pipex.net [158.43.128.69]) by hub.freebsd.org (Postfix) with SMTP id 6B7EC37B417 for ; Fri, 3 May 2002 14:48:59 -0700 (PDT) Received: (qmail 2844 invoked from network); 3 May 2002 21:11:30 -0000 Received: from userhh092.dsl.pipex.com (HELO ThisAddressDoesNotExist) (62.190.215.92) by smtp-1.dial.pipex.com with SMTP; 3 May 2002 21:11:30 -0000 Subject: RE: Firewall config and logs From: "S. Roberts" Reply-To: sroberts@dsl.pipex.com To: Joe & Fhe Barbish Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <1020316768.299.17.camel@Demon.Strobe.org> References: <1020316768.299.17.camel@Demon.Strobe.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.3 Date: 03 May 2002 22:07:56 +0100 Message-Id: <1020460076.299.84.camel@Demon.Strobe.org> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Joe, I had a look through the link you included in your last reply now, and I'm very impressed with the information provided there. I have a few questions as a result: 1] As indicated earlier, the major connection method in my case is ethernet connection to my router, thence to my ISP's router. Can I still use the format of your example, supplying my nic interface in place of tun* wherever it occurs? E.G. Your script [oif="tun0"] My case [oif="nic0"] 2] Leading from the above, is it safe then to exclude all references to "dial-in" services as well? Thanks again for your assistance and the information put together in the link. I was very pleased to see other members taking the time to compile such detailed and practical information to others. Hope to hear from you again soon. Stacey On Thu, 2002-05-02 at 07:19, S. Roberts wrote: > Thank you very much for the information and warning Joe. > > I'll have a look at what you've recomended here and try to implement > some more advanced stateful rules and some logging. > > Thanks again for the assistance. > > Stacey > > On Thu, 2002-05-02 at 02:27, Joe & Fhe Barbish wrote: > > Now all the parts fall into place. All your ipfw firewall rules need to be > > changes so and tuno say sis0. Specially the divert natd rule. You are > > no longer using user ppp. If for backup purposes you want to keep the modem > > and dial out to your isp, then you have to have 2 different ipfw rule sets > > and manually load the one that matches the modem dial method when you use > > the modem. I see from your ipfw rules you are only using stateless rules and > > simple stateful rules. Be far warned these rule types do not provide > > adequate protection. You need to use advanced stateful rules. Read this > > how-to for details on advanced stateful rules and how to set up logging. > > > > http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO > > > > -----Original Message----- > > From: S. Roberts [mailto:sroberts@dsl.pipex.com] > > Sent: Wednesday, May 01, 2002 6:57 PM > > To: Joe & Fhe Barbish > > Subject: RE: Firewall config and logs > > > > Hi Joe, > > Let me be moe detailed, if I can. > > > > FreeBSD nic ----> router ------> ADSL ISP > > > > I got the router (ethernet broadband with 4 10/100 ports) on my own, and > > configured the router settings via http to its initial default internal > > IP address. These settings included IP address details for my ISP's dns > > servers and username and password info. > > > > Also I set the router to accept dynamic external IP addresses from the > > ISP. > > > > The simplicity I referred to earlier reflects the fact that as soon as I > > set the default route to the new internal ip address (after removing the > > default shipped with the router) I set for the router, I found myself > > able to ping the router, my isp (then freebsd.org, yahoo etc..,). > > > > After this, it was a simple matter of launching a browser and that was > > it. Configuring Evolution to send and collect e-mail took longer :-) > > > > Hope that this explains the situation a bit more. Sorry if I was > > ambiguous earlier. > > > > Let me know what you think of what I can do for enabling logging for my > > firewall, okay? > > > > Thanks again. > > > > Stacey > > > > On Thu, 2002-05-02 at 00:47, Joe & Fhe Barbish wrote: > > > You stated > > > "I simply connected my router to the FreeBSD box, configured > > > the router's ADSL configs, and that was it - connected." > > > If by this you mean your FBSD nic card is connected to the router, > > > then you are correct. > > > I you are saying you can ping an public internet ip address from FBSD, > > then > > > you > > > have to provide more information about this routers ADSL configs and > > > what it's doing for you. Did you tell the router your account name and > > > password? > > > Is it loging you on to the ADSL ISP? > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: S. Roberts [mailto:sroberts@dsl.pipex.com] > > > Sent: Wednesday, May 01, 2002 2:48 PM > > > To: Joe & Fhe Barbish > > > Subject: RE: Firewall config and logs > > > > > > Sorry about that, I only thought of the attachment format after sending > > > the email! > > > > > > I should mention though - I'm not actually *using* ppp now, if that > > > makes sense. I simply connected my router to the FreeBSD box, configured > > > the router's ADSL configs, and that was it - connected. > > > > > > I have been concerned that I'm connecting this way, but could not work > > > out what it is I would need to change in order to connect any other way. > > > I found that the documentation at FreeBSD.org only contained info on > > > using usb-connected modems, anyway. > > > > > > Hope that the info here helps, please let me know if you require further > > > info, okay? > > > > > > Thanks for getting back to me. > > > > > > Stacey > > > > > > rc.conf: > > > # Created: Mon Feb 11 01:25:58 2002 > > > # Enable network daemons for user convenience. > > > # Please make all changes to this file, not to /etc/defaults/rc.conf. > > > # This file now contains just the overrides from /etc/defaults/rc.conf. > > > gateway_enable="YES" > > > hostname="Demon.Strobe.org" > > > kern_securelevel_enable="NO" > > > keymap="uk.iso" > > > linux_enable="YES" > > > moused_enable="YES" > > > moused_port="/dev/psm0" > > > moused_type="auto" > > > nfs_reserved_port_only="YES" > > > saver="warp" > > > sendmail_enable="YES" > > > sshd_enable="YES" > > > usbd_enable="YES" > > > # -- sysinstall generated deltas -- # Mon Feb 11 03:13:00 2002 > > > kern_securelevel_enable="NO" > > > sendmail_enable="YES" > > > sshd_enable="YES" > > > nfs_reserved_port_only="YES" > > > usbd_enable="YES" > > > usbd_flags="" > > > usbd_enable="YES" > > > usbd_flags="" > > > firewall_enable="YES" > > > firewall_script="/etc/firewall/fwrules" > > > natd_enable="YES" > > > natd_interface="tun0" > > > natd_flags="-dynamic" > > > ifconfig_sis0="DHCP" > > > hostname="Demon.Strobe.org" > > > $ > > > > > > ppp.conf: > > > > > > # Ensure that "device" references the correct serial port > > > # for your modem. (cuaa0 = COM1, cuaa1 = COM2) > > > # > > > set device /dev/cuaa1 > > > > > > set speed 115200 > > > set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ > > > \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" > > > set timeout 180 # 3 minute idle timer (the > > default) > > > enable dns # request DNS info (for > > resolv.conf) > > > > > > papchap: > > > # > > > # edit the next three lines and replace the items in caps with > > > # the values which have been assigned by your ISP. > > > # > > > > > > set phone > > > set authname > > > set authkey > > > > > > set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 > > > add default HISADDR # Add a (sticky) default route > > > # > > > > > > > > > Here're my rules: > > > # Firewall Rules > > > # Define Firewall Command > > > fwcmd="/sbin/ipfw" > > > > > > # Force Flushing of Current Rule-Set Before Reload > > > $fwcmd -f flush > > > > > > # Divert All Packets Through Tunnel Device > > > $fwcmd add divert natd all from any to any via tun0 > > > > > > # Block all incoming Fragmented packets > > > $fwcmd add deny all from any to any in frag > > > > > > # Reject & Log all setup of incoming connections from outside > > > $fwcmd add deny log tcp from any to any in via setup > > > > > > # Allow All Data from my NIC and Localhost > > > $fwcmd add allow ip from any to any via lo0 > > > $fwcmd add allow ip from any to any via > > > > > > # Allow All Connections I Initiate > > > $fwcmd add allow tcp from any to any out xmit setup > > > > > > # Once Connection Established, Allow To Stay Open > > > $fwcmd add allow tcp from any to any via established > > > > > > # Send Reset To All Ident Packets > > > # Allow Outgoing DNS Queries ONLY to These Specified Servers > > > $fwcmd add allow udp from any to out xmit sis0 > > > $fwcmd add allow udp from any to 53 out xmit sis0 > > > $fwcmd add allow udp from any to 53 out xmit tun0 > > > $fwcmd add allow udp from any to 53 out xmit tun0 > > > $fwcmd add allow udp from any to 53 out xmit tun0 > > > $fwcmd add allow udp from any to 53 out xmit tun0 > > > $fwcmd add allow udp from any to 53 out xmit tun0 > > > $fwcmd add allow udp from any to 53 out xmit tun0 > > > $fwcmd add allow udp from any to 53 out xmit tun0 > > > > > > # Allow DNS Queries Back In With Results > > > $fwcmd add allow udp from 53 to any in recv sis0 > > > $fwcmd add allow udp from 53 to any in recv sis0 > > > $fwcmd add allow udp from 53 to any in recv tun0 > > > $fwcmd add allow udp from 53 to any in recv tun0 > > > $fwcmd add allow udp from 53 to any in recv tun0 > > > $fwcmd add allow udp from 53 to any in recv tun0 > > > $fwcmd add allow udp from 53 to any in recv tun0 > > > $fwcmd add allow udp from 53 to any in recv tun0 > > > $fwcmd add allow udp from 53 to any in recv tun0 > > > > > > # Allow ICMP For PING and Traceroute > > > $fwcmd add allow icmp from any to any > > > > > > # Deny The Rest > > > $fwcmd add deny log ip from any to any > > > > > > On Wed, 2002-05-01 at 20:33, Joe & Fhe Barbish wrote: > > > > You need to provide more info. Post your ipfw rules in the email body, > > not > > > > in some format that nobody can read as an attached file. That's a no no > > in > > > > this questions list. Post complete rc.conf file, ppp.conf, and your ipfw > > > > rules file. > > > > > > > > >From what you stated I see no need for natd, you should be using -nat > > of > > > > user ppp. > > > > Read this www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO > > > > > > > > > > > > -----Original Message----- > > > > From: owner-freebsd-questions@FreeBSD.ORG > > > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of S. Roberts > > > > Sent: Wednesday, May 01, 2002 1:44 PM > > > > To: freebsd-questions@freebsd.org > > > > Subject: Firewall config and logs > > > > > > > > Hello, > > > > I have a question about my firewall configs. > > > > > > > > I've progressed from connecting over user ppp via 56k dial-up external > > > > modem with a firewall rule-set (and Portsentry as per the mention in > > > > Unleashed) that I thought worked well enough. > > > > > > > > I've since moved on the connecting via DSL (dynamic IP) - PPPoE with a > > > > new ISP. What I've done is simply *added* relevant entries to my > > > > firewall rules so as to cater for new IP addresses provided by my new > > > > ISP. I still have the dial-up account with the first ISP, I just don't > > > > use it as often. > > > > > > > > Here's what I figured: > > > > Seeing that I now connect via my nic, I might be able to remove entries > > > > for tun0 in my rules and replace them with that for my nic card that's > > > > connected to my router. > > > > > > > > What I found is that I could no longer ping my router, the nic, nor > > > > anything over the Internet. > > > > > > > > I'm somewhat confused by this. If I'm using my nic, why should removing > > > > entries for tun0 (previously set up for my serial modem) cause the > > > > firewall to prevent connection? > > > > > > > > I'd appreciate someone clearing this up for me, please. > > > > > > > > Further to this, I would also be grateful for assistance in setting up > > > > logging for my firewall operations (record entries of denied packets / > > > > connection attempts). I've included a sanitized copy of my rules here > > > > for clarity. Should you require more info, please let me know. > > > > > > > > Uname: > > > > $ uname -a > > > > FreeBSD 4.5-STABLE FreeBSD 4.5-STABLE #0: Sun Apr 28 12:24:07 BST > > > > 2002 :/usr/src/sys/compile/IRON i386 > > > > $ > > > > > > > > Firewall options in rc.conf: > > > > > > > > firewall_enable="YES" > > > > firewall_script="/etc/firewall/fwrules" > > > > natd_enable="YES" > > > > natd_interface="tun0" > > > > natd_flags="-dynamic" > > > > > > > > > > > > Thanks for the time, > > > > > > > > Stacey > > > > -- > > > > Stacey Roberts B.Sc. (HONS) Computer Science > > > > Network Systems Engineer > > > > > > > -- > > > Stacey Roberts B.Sc. (HONS) Computer Science > > > Network Systems Engineer > > > > > -- > > Stacey Roberts B.Sc. (HONS) Computer Science > > Network Systems Engineer > > > -- > Stacey Roberts B.Sc. (HONS) Computer Science > Network Systems Engineer -- Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message