From owner-freebsd-ipfw Tue Apr 16 11:24:38 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (dav35.sea1.hotmail.com [207.68.162.92]) by hub.freebsd.org (Postfix) with ESMTP id DCAB237B405 for ; Tue, 16 Apr 2002 11:24:23 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 16 Apr 2002 11:24:23 -0700 X-Originating-IP: [216.175.103.102] User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Tue, 16 Apr 2002 11:22:54 -0700 Subject: Strange gateway issues From: James O'Rourke To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-OriginalArrivalTime: 16 Apr 2002 18:24:23.0556 (UTC) FILETIME=[EEEC7C40:01C1E573] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I'm using a freebsd box as a gateway for an internal network. Configuration is like so: <---Internet ---->x.x.x.x (dynamic) FreeBSD 192.168.0.1 <------ LAN ------> ------> ------> My problem is when I connect to certain sites from inside the lan I get now reponse. My.yahoo.com is an example. After doing some packet sniffing, I notice that everything is as normal on making a connection with SYN, SYN ACK, ACK, ACK PSH all going through. When I make the GET request I get no response from my.yahoo.com for some reason. However, this does not occur when connecting from the gateway box. I thought this may have something to do with cookies however that doesn't make sense to me. I'm using natd & ipfw and they are correctly configured from what I can see. It can't be a firewall problem or else surely I wouldn't be able to receive on the gateway box. The packets are exactly the same coming from inside the LAN as from the gateway box until I send the GET package - I receive nothing back. The other thing is that sometimes the my.yahoo.com will work but then I can't access the links from my page. This one really has got me beat - well almost. Any suggestions. (copy of firewall script and natd.conf below: ---------------------------------- rc.firewall.current #!/bin/sh # Originally found at http://www.bsdtoday.com/2000/December/Features359.html # By Peter Brezny # Modifications done to support dynamic IP and default OS X configuration # Available at: http://www3.sympatico.ca/dccote/firewall.html # # Simple stateful network firewall rules for IPFW with NAT v. 1.01 # See bottom of file for instructions and description of rules # Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great # deal of help from freebsd-security@freebsd.org). Specific questions # about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or # more general security questions to freebsd-security@freebsd.org. # Use this script at your own risk. # # if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet # calculator can help you. /usr/ports/net/ipsc-0.4.2 # ########################### # Note: This does not apply to Mac OS X # # Brief Installation instructions # # Name this script /etc/rc.firewall.current # Edit /etc/rc.conf to include # gateway_enable="YES" # firewall_enable="YES" # firewall_script="/etc/rc.firewall.current" # natd_enable="YES" # natd_interface="***" #replace with your external ifX # natd_flags="-dynamic" # Make sure your kernel is configured to handle ipfw and natd # See the FreeBSD handbook on how to do this. # ############################ # Make sure logging is enabled (disabled by default) if [ `/usr/sbin/sysctl -n net.inet.ip.fw.verbose` == 0 ] ; then /usr/sbin/sysctl -w net.inet.ip.fw.verbose=1 fi # # Define your variables # # fwcmd="/sbin/ipfw" # leave as is if using ipfw oif="ppp0" # set to outside interface name (for DSL pppoe0 in 10.0.x, ppp0 in 10.1.x) # set following line to outside ip address # or leave as is for dynamic IP address) oip=`/sbin/ifconfig $oif| grep inet | awk '{ print $2 }'`; onwr="$oip/8" #set to outside network range iif="en1" #set to internal interface name inwr="192.168.0.0/16" #set to internal network range iip="192.168.0.1" #set to internal ip address mail="207.69.200.246" # mail server sometimes requires 113 ns1=207.69.188.185 #set to primary name server best if = oif ns2=207.69.188.186 #set to primary name server best if = oif ntp=17.254.0.27 #set to ip of NTP server or leave as is ntp1=17.254.0.31 #set to ip of NTP server or leave as is ntp2=17.254.0.26 #set to ip of NTP server or leave as is ### # Rules with descriptions # # Basic rules: there is no need to modify anything in this first section. # This is the bare minimum to block simple spoofing. ### # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). # (Seems to be necessary to put it here to make sure lookups are allowed ASAP) # $fwcmd add allow udp from any 53 to $ns1 53 via $oif (Good with dynamic rules) # $fwcmd add allow udp from any 53 to $ns2 53 via $oif (Good with dynamic rules) $fwcmd add allow udp from any 53 to $oip via $oif $fwcmd add allow udp from $oip to any 53 via $oif # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # Stop from gnutella - out of hand $fwcmd add deny log tcp from any to $oip 6346 # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif # ### # User rules: Some of the rules below are dependent on your configuration. # They might require some adjustments. They are emphasized with the # word "ADJUST". ### # ADJUST: If you use NATD (for your 192.168.0.1 interface for instance) # you must uncomment the following: # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established # # ADJUST: Allow incoming requests to reach the various services. # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup # If you have an internal interface (e.g. if you do not run NATd) # uncomment the second line to enable AppleTalk on it. # $fwcmd add allow tcp from any to $oip 22 setup $fwcmd add allow tcp from any to $oip 21,22,80,548 setup # $fwcmd add allow tcp from any to $iip 548 setup via $oif # # NOTE: you may have to change your client to passive or active mode # to get ftp to work once enabled, only ssh, ftp and appletalk enabled by default. # 21:ftp enabled by default # 22:ssh enabled by default # 23:telnet # 25:smtp # 110:pop # 143:imap # 80:http # 443:ssl # 548:appleshare enabled by default # # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # # Allow time update traffic $fwcmd add allow udp from $ntp to $oip $fwcmd add allow udp from $ntp1 to $oip $fwcmd add allow udp from $ntp2 to $oip # Politely and quickly rejects AUTH requests (e.g. email and ftp) $fwcmd add reset tcp from $mail to $oip 113 # # Checks packets against dynamic rule set below. # $fwcmd add check-state (Does not work in OS X) # # Allow any traffic from firewall ip to any going out the # external interface # $fwcmd add allow ip from $oip to any keep-state out via $oif (Does not work in OS X) $fwcmd add allow ip from $oip to any out via $oif # # Allow any traffic from local network to any passing through the # internal interface # $fwcmd add allow ip from $inwr to any keep-state via $iif (Does not work in OS X) $fwcmd add allow ip from $inwr to any via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. --------------------- natd.conf interface ppp0 dynamic yes use_sockets yes same_ports yes ---------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message