Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 16 Apr 2002 11:22:54 -0700
From:      James O'Rourke <jamesworourke@hotmail.com>
To:        <freebsd-ipfw@freebsd.org>
Subject:   Strange gateway issues
Message-ID:  <B8E1BA0E.140D%jamesworourke@hotmail.com>

Next in thread | Raw E-Mail | Index | Archive | Help

Hi,

I'm using a freebsd box as a gateway for an internal network.

Configuration is like so:


<---Internet ---->x.x.x.x (dynamic) FreeBSD 192.168.0.1 <------ LAN ------>
                                                                ------>
                                                                ------>


My problem is when I connect to certain sites from inside the lan I get now
reponse. My.yahoo.com is an example. After doing some packet sniffing, I
notice that everything is as normal on making a connection with SYN, SYN
ACK, ACK, ACK PSH all going through. When I make the GET request I get no
response from my.yahoo.com for some reason. However, this does not occur
when connecting from the gateway box. I thought this may have something to
do with cookies however that doesn't make sense to me.

I'm using natd & ipfw and they are correctly configured from what I can see.
It can't be a firewall problem or else surely I wouldn't be able to receive
on the gateway box. The packets are exactly the same coming from inside the
LAN as from the gateway box until I send the GET package - I receive nothing
back. The other thing is that sometimes the my.yahoo.com will work but then
I can't access the links from my page.

This one really has got me beat - well almost. Any suggestions. (copy of
firewall script and natd.conf below:


----------------------------------
rc.firewall.current


#!/bin/sh
# Originally found at http://www.bsdtoday.com/2000/December/Features359.html
# By Peter Brezny
# Modifications done to support dynamic IP and default OS X configuration
# Available at: http://www3.sympatico.ca/dccote/firewall.html
#
# Simple stateful network firewall rules for IPFW with NAT v. 1.01
# See bottom of file for instructions and description of rules
# Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great
# deal of help from freebsd-security@freebsd.org).  Specific questions
# about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or
# more general security questions to freebsd-security@freebsd.org.
# Use this script at your own risk.
#
# if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet
# calculator can help you. /usr/ports/net/ipsc-0.4.2
#
###########################
# Note: This does not apply to Mac OS X
#
# Brief Installation instructions
#
#    Name this script /etc/rc.firewall.current
#    Edit /etc/rc.conf to include
#        gateway_enable="YES"
#        firewall_enable="YES"
#        firewall_script="/etc/rc.firewall.current"
#        natd_enable="YES"
#        natd_interface="***"  #replace with your external ifX
#        natd_flags="-dynamic"
#    Make sure your kernel is configured to handle ipfw and natd
#    See the FreeBSD handbook on how to do this.
#
############################
# Make sure logging is enabled (disabled by default)
if [ `/usr/sbin/sysctl -n net.inet.ip.fw.verbose` == 0 ] ; then
        /usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
fi

#
# Define your variables
#
#
fwcmd="/sbin/ipfw"    # leave as is if using ipfw
oif="ppp0"        # set to outside interface name (for DSL pppoe0 in 10.0.x,
ppp0 in 10.1.x)
            # set following line to outside ip address
            # or leave as is for dynamic IP address)
oip=`/sbin/ifconfig $oif| grep inet | awk '{ print $2 }'`;
onwr="$oip/8"        #set to outside network range
iif="en1"        #set to internal interface name
inwr="192.168.0.0/16"    #set to internal network range
iip="192.168.0.1"    #set to internal ip address
mail="207.69.200.246" # mail server sometimes requires 113

ns1=207.69.188.185    #set to primary name server best if = oif
ns2=207.69.188.186    #set to primary name server best if = oif
ntp=17.254.0.27        #set to ip of NTP server or leave as is
ntp1=17.254.0.31    #set to ip of NTP server or leave as is
ntp2=17.254.0.26    #set to ip of NTP server or leave as is
###
# Rules with descriptions
#
#       Basic rules: there is no need to modify anything in this first
section.
#       This is the bare minimum to block simple spoofing.
###
#
#    Force a flush of the current firewall rules before we reload
    $fwcmd -f flush

#    Allow your loop back to work
    $fwcmd add allow all from any to any via lo0

#    Prevent spoofing of your loopback
    $fwcmd add deny log all from any to 127.0.0.0/8


#    Allow DNS traffic from internet to query your DNS (for reverse
#    lookups etc).
#    (Seems to be necessary to put it here to make sure lookups are allowed
ASAP)
#    $fwcmd add allow udp from any 53 to $ns1 53 via $oif (Good with dynamic
rules)
#    $fwcmd add allow udp from any 53 to $ns2 53 via $oif (Good with dynamic
rules)
    $fwcmd add allow udp from any 53 to $oip via $oif
    $fwcmd add allow udp from $oip to any 53 via $oif

#
#    Stop spoofing of your internal network range
    $fwcmd add deny log ip from $inwr to any in via $oif
#
#    Stop spoofing from inside your private ip range
    $fwcmd add deny log ip from not $inwr to any in via $iif

#     Stop from gnutella - out of hand

    $fwcmd add deny log tcp from any to $oip 6346
#
#    Stop private networks (RFC1918) from entering the outside interface.
    $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
    $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
    $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
    $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
    $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
    $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif
#
#     Stop draft-manning-dsua-01.txt nets on the outside interface
    $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif
    $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif
    $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif
    $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif
    $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif
    $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif
    $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif
    $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif
    $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif
    $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif
#
###
#       User rules: Some of the rules below are dependent on your
configuration.
#       They might require some adjustments. They are emphasized with the
#       word "ADJUST".
###
#     ADJUST: If you use NATD (for your 192.168.0.1 interface for instance)
#     you must uncomment the following:
#    Divert all packets through natd
    $fwcmd add divert natd all from any to any via $oif

#
#    Allow all established connections to persist (setup required
#    for new connections).
    $fwcmd add allow tcp from any to any established

#
#    ADJUST: Allow incoming requests to reach the various services.
#    To allow multiple services you may list them separated
#    by a coma, for example ...to $oip 22,25,110,80 setup
#    If you have an internal interface (e.g. if you do not run NATd)
#    uncomment the second line to enable AppleTalk on it.
#    $fwcmd add allow tcp from any to $oip 22 setup
    $fwcmd add allow tcp from any to $oip 21,22,80,548 setup
#    $fwcmd add allow tcp from any to $iip 548 setup via $oif
    
#
#    NOTE: you may have to change your client to passive or active mode
#    to get ftp to work once enabled, only ssh, ftp and appletalk enabled by
default.
#    21:ftp            enabled by default
#    22:ssh            enabled by default
#    23:telnet
#    25:smtp
#    110:pop
#    143:imap
#    80:http
#    443:ssl
#    548:appleshare    enabled by default

#
#    Allow icmp packets for diagnostic purposes (ping traceroute)
#    you may wish to leave commented out.
    $fwcmd add allow icmp from any to any
#
#    Allow required ICMP
    $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
#
#    Allow time update traffic
    $fwcmd add allow udp from $ntp  to $oip
    $fwcmd add allow udp from $ntp1  to $oip
    $fwcmd add allow udp from $ntp2  to $oip

#    Politely and quickly rejects AUTH requests (e.g. email and ftp)
    $fwcmd add reset tcp from $mail to $oip 113
#
#    Checks packets against dynamic rule set below.
#    $fwcmd add check-state (Does not work in OS X)
#
#    Allow any traffic from firewall ip to any going out the
#    external interface
#    $fwcmd add allow ip from $oip to any keep-state out via $oif (Does not
work in OS X)
    $fwcmd add allow ip from $oip to any out via $oif
#
#    Allow any traffic from local network to any passing through the
#    internal interface
#    $fwcmd add allow ip from $inwr to any keep-state via $iif (Does not
work in OS X)
    $fwcmd add allow ip from $inwr to any via $iif

#
#    Deny everything else
    $fwcmd add 65435 deny log ip from any to any
#
#####################################################
#
# End firewall script.

---------------------


natd.conf

interface ppp0
dynamic yes
use_sockets yes
same_ports yes


----------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?B8E1BA0E.140D%jamesworourke>