Date: Sat, 4 Aug 2001 13:20:15 +0200 From: "Alfatrion" <alfatrion@cybertron.tmfweb.nl> To: <dcarmich@ourservers.net>, <freebsd-security@freebsd.org>, <freebsd-questions@freebsd.org> Subject: Re: Can't access the Internet from behind a 192.168.1.x net using natd Message-ID: <010f01c11cd7$72db3700$231fa8c0@kruijff> References: <200108040928.f749SH400571@nightfly.ourservers.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Try solving you problem in a couple small step instead of one large one. 1)
Just focus on the connection to the internet from you FreeBSD (router)
computer without a firewall. If that works focus on the computer behind you
router. 3) focus on you firewall. This way it's much easier to spot the
problem.
It would also help to get two network cards instead of one. It simplifies
the whole.
Alex
P.S. I don't fully understand your problem and have
----- Original Message -----
From: "Douglas Carmichael" <dcarmich@ourservers.net>
To: <freebsd-security@freebsd.org>; <freebsd-questions@freebsd.org>
Sent: Saturday, August 04, 2001 11:28 AM
Subject: Can't access the Internet from behind a 192.168.1.x net using natd
> Version: 4.3-RELEASE
> Scenario:
>
> tun0 - user-PPP based connection via a modem, IP: 205.253.153.129
> xl0 - local Ethernet, IP: 192.168.1.1 (client IP: 192.168.1.2)
>
> I bring up the PPP interface with ppp -auto xnet (my system name in
> /etc/ppp/ppp.conf) and I can access the net both locally from the FreeBSD
> system and from my Ethernet-attached client after a 'nat enable yes'
> command. However, even if I dial from the ppp command prompt and _then_
> start natd (i.e. 'natd -dynamic -interface tun0 -unregistered_only'), no
> packets go across the external interface.
>
> Here's one set of firewall rules I tried:
> # Simple stateful network firewall rules for IPFW with NAT v. 1.01
> # See bottom of file for instructions and description of rules
> # Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great
> # deal of help from freebsd-security@freebsd.org). Specific questions
> # about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or
> # more general security questions to freebsd-security@freebsd.org.
> # Use this script at your own risk.
> #
> # if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet
> # calculator can help you. /usr/ports/net/ipsc-0.4.2
> #
> ###########################
> #
> # Brief Installation instructions
> #
> # Name this script /etc/rc.firewall.current
> # Edit /etc/rc.conf to include
> # gateway_enable="YES"
> # firewall_enable="YES"
> # firewall_script="/etc/rc.firewall.current"
> # natd_enable="YES"
> # natd_interface="***" #replace with your external ifX
> # natd_flags="-dynamic"
> # Make sure your kernel is configured to handle ipfw and natd
> # See the FreeBSD handbook on how to do this.
> #
> ############################
> #
> # Define your variables
> #
> fwcmd="/sbin/ipfw" #leave as is if using ipfw
> oif="tun0" #set to outside interface name
> oip="205.253.153.129" #set to outside ip address
>
> iif="xl0" #set to internal interface name
> inwr="192.168.1.0/24" #set to internal network range
> iip="192.168.1.1" #set to internal ip address
>
> ns1="198.147.221.34" #set to primary name server best if = oif
> #ntp="i.j.k.l" #set to ip of NTP server or leave as is
>
> #
> # End of required user input if you only intend to allow ssh connections
to
> # this box from the outside. If other services are required, edit line 96
> # as necessary.
> #
> # Rules with descriptions
> #
> #
> # Force a flush of the current firewall rules before we reload
> $fwcmd -f flush
> #
> # Allow your loop back to work
> $fwcmd add allow all from any to any via lo0
> #
> # Prevent spoofing of your loopback
> $fwcmd add deny log all from any to 127.0.0.0/8
> #
> # Stop spoofing of your internal network range
> $fwcmd add deny log ip from $inwr to any in via $oif
> #
> # Stop spoofing from inside your private ip range
> $fwcmd add deny log ip from not $inwr to any in via $iif
> #
> # Stop private networks (RFC1918) from entering the outside
interface.
> $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
> $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
> $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
> $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
> $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
> $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif
> #
> # Stop draft-manning-dsua-01.txt nets on the outside interface
> $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
> $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
> $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
> $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
> $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
> $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
> $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
> $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
> $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
> $fwcmd add deny all from any to 240.0.0.0/4 in via $oif
> #
> # Divert all packets through natd
> $fwcmd add divert natd all from any to any via $oif
> #
> # Allow all established connections to persist (setup required
> # for new connections).
> $fwcmd add allow tcp from any to any established
> #
> # Allow incoming requests to reach the following services:
> # To allow multiple services you may list them separated
> # by a coma, for example ...to $oip 22,25,110,80 setup
> $fwcmd add allow tcp from any to $oip 22 setup
> #
> # NOTE: you may have to change your client to passive or active mode
> # to get ftp to work once enabled, only ssh enabled by
default.
> # 21:ftp
> # 22:ssh enabled by default
> # 23:telnet
> # 25:smtp
> # 110:pop
> # 143:imap
> # 80:http
> # 443:ssl
> #
> # Allow icmp packets for diagnostic purposes (ping traceroute)
> # you may wish to leave commented out.
> # $fwcmd add allow icmp from any to any
> #
> # Allow required ICMP
> $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
> #
> # Allow DNS traffic from internet to query your DNS (for reverse
> # lookups etc).
> $fwcmd add allow udp from any 53 to $ns1 53
> #
> # Allow time update traffic
> # $fwcmd add allow udp from $ntp 123 to $oip 123
> #
> # Checks packets against dynamic rule set below.
> $fwcmd add check-state
> #
> # Allow any traffic from firewall ip to any going out the
> # external interface
> $fwcmd add allow ip from $oip to any keep-state out via $oif
> #
> # Allow any traffic from local network to any passing through the
> # internal interface
> $fwcmd add allow ip from $inwr to any keep-state via $iif
> #
> # Deny everything else
> $fwcmd add 65435 deny log ip from any to any
> #
> #####################################################
> #
> # End firewall script.
>
> I also tried the 'client' set of rules from the default /etc/rc.firewall:
> ############
> # This is a prototype setup that will protect your system somewhat
> # against people from outside your own network.
> ############
>
> # set these to your network and netmask and ip
> net="192.168.1.0"
> mask="255.255.255.0"
> ip="192.168.1.1"
>
> # Allow any traffic to or from my own net.
> ${fwcmd} add pass all from ${ip} to ${net}:${mask}
> ${fwcmd} add pass all from ${net}:${mask} to ${ip}
>
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
>
> # Allow IP fragments to pass through
> ${fwcmd} add pass all from any to any frag
>
> # Allow setup of incoming email
> ${fwcmd} add pass tcp from any to ${ip} 25 setup
>
> # Allow setup of outgoing TCP connections only
> ${fwcmd} add pass tcp from ${ip} to any setup
>
> # Disallow setup of all other TCP connections
> ${fwcmd} add deny tcp from any to any setup
>
> # Allow DNS queries out in the world
> ${fwcmd} add pass udp from ${ip} to any 53 keep-state
>
> # Allow NTP queries out in the world
> ${fwcmd} add pass udp from ${ip} to any 123 keep-state
>
> # Everything else is denied by default, unless the
> # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
> # config file.
> ;;
>
> None of them worked.
>
> What could be the problem? Any comments are welcome.
>
> PS: When I tried just using 'nat enable yes' and doing packet filtering
> with the 'set filter' commands, the filtering did not have any effect.
> (i.e. I could still telnet out even after filtering TCP port 23.)
> Any ideas?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?010f01c11cd7$72db3700$231fa8c0>