Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 06 Jan 2001 16:59:45 -0600
From:      Charlie Root <blaz@satx.rr.com>
To:        freebsd-questions@freebsd.org
Subject:   problems with nat/firewall
Message-ID:  <3A57A360.5B869480@satx.rr.com>

next in thread | raw e-mail | index | archive | help
greetings,

I added the following to my kernel and rebuilt:

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT


then I added to /etc/rc.conf:

gateway_enable="YES"
firewall_enable="YES"
natd_enable="YES"
natd_interface="xl0"          # my NIC connected to cable modem
natd_flags="-dynamic"
firewall_script="/etc/rc.firewall.new"


then to my rc.firewall.new script is where I am getting
confused.. not with the rules, but the variables I need
to supply:

#Define your variables
#
fwcmd="/sbin/ipfw"      #leave as is if using ipfw
oif="oifx"                    #set to outside interface name
onwr="a.b.c.d/24"       #set to outside network range
oip="a.b.c.d"              #set to outside ip address

iif="ifx"                     #set to internal interface name
inwr="x.y.z.x/24"        #set to internal network range
iip="x.y.z.x"               #set to internal ip address
ns1="e.f.g.h"              #set to primary name server best if = oif
#ntp="i.j.k.l"               #set to ip of NTP server or leave as is

below is what I supplied, and when I type to ping
to local network I get TCP/IP denied..  its blocking the packets
and I don't think its the rules, but the interface information.

I will supply the rules at the end, in case it is -- I am going
by an article I read on bsdtoday.com..  anyway here is what
I supplied:


fwcmd="/sbin/ipfw"      #leave as is if using ipfw
oif="xl0"                    #set to outside interface name
onwr="255.255.255.0" #set to outside network range
                                  I am not sure about this..

oip="my ip"               #set to outside ip address
                               I use DHCP, but supplied current IP
                               this has to be wrong


iif="xl1"                         #set to internal interface name
inwr="192.168.2/24"        #set to internal network range
iip="192.168.2.1"             #set to internal ip address
ns1="my name server"     #set to primary name server best if = oif
ntp="clock.isc.org"          #set to ip of NTP server or leave as is


I know I must have this screwerd up :)  but here my rules in
case its not:


# Rules with descriptions
#
#
#       Force a flush of the current firewall rules before we reload
        $fwcmd -f flush
#
#       Allow your loop back to work
        $fwcmd add allow all from any to any via lo0
#
#       Prevent spoofing of your loopback
        $fwcmd add deny log all from any to 127.0.0.0/8
#
#       Stop spoofing of your internal network range
        $fwcmd add deny log ip from $inwr to any in via $oif
#
#       Stop spoofing from inside your private ip range
        $fwcmd add deny log ip from not $inwr to any in via $iif
#
#       Stop private networks (RFC1918) from entering the outside
interface.
        $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
        $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
        $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
        $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
        $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
        $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif
#
#       Stop draft-manning-dsua-01.txt nets on the outside interface
        $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
        $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
        $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
        $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
        $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
        $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
        $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
        $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
        $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
        $fwcmd add deny all from any to 240.0.0.0/4 in via $oif
#
#       Divert all packets through natd
        $fwcmd add divert natd all from any to any via $oif
#
#       Allow all established connections to persist (setup required
#       for new connections).
        $fwcmd add allow tcp from any to any established
#
#       Allow incomming requests to reach the following services:
#       To allow multiple services you may list them separated
#       by a coma, for example ...to $oip 22,25,110,80 setup
        $fwcmd add allow tcp from any to $oip 22 setup
#
#       NOTE: you may have to change your client to passive or active
mode
#               to get ftp to work once enabled, only ssh enabled by
default.
#       21:ftp
#       22:ssh          enabled by default
#       23:telnet
#       25:smtp
#       110:pop
#       143:imap
#       80:http
#       443:ssl
#
#       Allow icmp packets for diagnostic purposes (ping traceroute)
#       you may wish to leave commented out.
#       $fwcmd add allow icmp from any to any
#
#       Allow required ICMP
        $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
#
#       Allow DNS traffic from internet to query your DNS (for reverse
#       lookups etc).
        $fwcmd add allow udp from any 53 to $ns1 53
#
#       Allow time update traffic
#       $fwcmd add allow udp from $ntp 123 to $oip 123
#
#       Checks packets against dynamic rule set below.
        $fwcmd add check-state
#
#       Allow any traffic from firewall ip to any going out the
#       external interface
        $fwcmd add allow ip from $oip to any keep-state out via $oif
#
#       Allow any traffic from local network to any passing through the
#       internal interface
        $fwcmd add allow ip from $inwr to any keep-state via $iif
#
#       Deny everything else
        $fwcmd add 65435 deny log ip from any to any
#
#####################################################
#
# End firewall script.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A57A360.5B869480>