From owner-freebsd-questions@FreeBSD.ORG  Mon Feb  2 07:28:57 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 770A416A4CE
	for <freebsd-questions@FreeBSD.ORG>;
	Mon,  2 Feb 2004 07:28:57 -0800 (PST)
Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6B9B543D46
	for <freebsd-questions@FreeBSD.ORG>;
	Mon,  2 Feb 2004 07:28:37 -0800 (PST)
	(envelope-from Barbish3@adelphia.net)
Received: from barbish ([68.169.105.190]) by mta11.adelphia.net
          (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP
          id <20040202152832.SLLF11898.mta11.adelphia.net@barbish>;
          Mon, 2 Feb 2004 10:28:32 -0500
From: "JJB" <Barbish3@adelphia.net>
To: <dwamenae@gco.apana.org.au>, <freebsd-questions@FreeBSD.ORG>
Date: Mon, 2 Feb 2004 10:28:30 -0500
Message-ID: <MIEPLLIBMLEEABPDBIEGCEJAFHAA.Barbish3@adelphia.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
In-Reply-To: <200402022344.36084.dwamenae@gco.apana.org.au>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
Subject: RE: Which interface do I put natd and ipfw 
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Barbish3@adelphia.net
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2004 15:28:57 -0000

Hello Friend

You only NAT the public internet facing interface, tun0 is your
case.

You should turn on user ppp -nat function and not use the ipfw
divert rule command because, ipfw stateful rules does not work when
used with ipfw's legacy divert rule which launches the sub-routine
call to NATD.

FBSD also comes with IPFILTER, another firewall software
application. It's stateful rules work correctly with it's external
ipnat function and can be configured to use tun0. I have sample if
you are interested.

Here is an ipfw stateful  Inclusive Rule Set

The following rule set is an complete very secure 'inclusive' type
of firewall rule set that I have used on my system. You can not go
wrong using this rule set for you own. Just comment out any pass
rules for services to don't want.

If you see messages in your log that you want to stop seeing just
add an deny rule in the inbound section.

You will see the pattern in the usage of these rules.
1. All statements that are a request to start an session to the
public internet use keep-state.
2. All the authorized services that originate from the public
internet have the limit option to stop flooding.
3. All rules use in or out to clarify direction.
4. All rules use via interface name to specify the interface the
packet is traveling over.


Add the following statements to /etc/ipfw.rules


################  Start of IPFW rules file
###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"

pif="tun0"        # interface name
                 # facing the public internet


#################################################################
# No restrictions on Inside Lan Interface for private network
# Not needed unless you have Lan.
# Change xl0 to your Lan Nic card interface name
#################################################################

$cmd 00005 allow all from any to any via ed0


#################################################################
# No restrictions on Loopback Interface
#################################################################

$cmd 00010 allow all from any to any via lo0


#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
#################################################################

$cmd 00015 check-state


#################################################################
# Interface facing Public internet  (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public internet.
#################################################################


# Allow out access to my ISP's Domain name server.
# xxx.xxx.xxx.xxx must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 00110 allow tcp  from any to xxx.xxx.xxx.xxx 53 out via $pif
setup keep-state
$cmd 00111 allow udp  from any to xxx.xxx.xxx.xxx 53 out via $pif
keep-state


# Allow out access to my ISP's DHCP server for cable or DSL
configurations.
# This rule is not needed for 'user ppp' type connection to the
public internet.
# so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to xxx.xxx.xxx.xxx 67 out via $pif
keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp  from any to any 80  out via $pif setup
keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp  from any to any 443  out via $pif setup
keep-state

# Allow out send & get email function
$cmd 00230 allow tcp  from any to any 25  out via $pif setup
keep-state
$cmd 00231 allow tcp  from any to any 110 out via $pif setup
keep-state

# Allow out FBSD (make install & CVSUP)  functions
# Basically give user root  "GOD"  privileges.
$cmd 00240 allow tcp  from me to any  out via $pif setup keep-state
uid root

# Allow out ping
$cmd 00250 allow icmp from any to any  out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp  from any to any 37  out via $pif setup
keep-state

# Allow out nntp news (IE: news groups)
$cmd 00270 allow tcp  from any to any 119 out via $pif setup
keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH  (secure shell)
$cmd 00280 allow tcp  from any to any 22 out via $pif setup
keep-state

# Allow out whois
$cmd 00290 allow tcp  from any to any 43 out via $pif setup
keep-state

# deny and log everything else that's trying to get out.
# This rule enforces the block all by default logic.
$cmd 00299 deny log all from any to any out via $pif


#################################################################
# Interface facing Public internet  (Inbound Section)
# Interrogate packets originating from the public internet
# destine for this gateway server or the private network.
#################################################################


# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16  to any in via $pif   #RFC
1918 private IP
$cmd 00301 deny all from 172.16.0.0/12   to any in via $pif   #RFC
1918 private IP
$cmd 00302 deny all from 10.0.0.0/8      to any in via $pif   #RFC
1918 private IP
$cmd 00303 deny all from 127.0.0.0/8     to any in via $pif
#loopback
$cmd 00304 deny all from 0.0.0.0/8       to any in via $pif
#loopback
$cmd 00305 deny all from 169.254.0.0/16  to any in via $pif   #DHCP
auto-config
$cmd 00306 deny all from 192.0.2.0/24    to any in via $pif
#reserved for doc's
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif   #Sun
cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3     to any in via $pif   #Class
D & E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81  in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public internet. This is the same IP address you captured
# and used in the outbound section.

#$cmd 00360 allow udp from any to xxx.xxx.xxx.xxx 67 in via $pif
keep-state

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit
src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit
src-addr 2

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 00420 allow tcp from any to me 23 in via $pif setup limit
src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any  in via $pif

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any

################  End of IPFW rules file
###############################

You have to use an crossover cable to connect your single Lan pc to
your FBSD gateway pc.


-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Emmanuel
Dwamena
Sent: Monday, February 02, 2004 7:45 AM
To: freebsd-questions@FreeBSD.ORG
Subject: Re: Which interface do I put natd and ipfw

Dear friends,
I need help to set up firewall on my freebsd 5.1 box. I have built
new kernel
with ipfw enabled and is working fine.
I need to know which of the 3 interfaces do I put the natd and ipfw.
My freebsd 5.1 box has 2 nic cards. ed0 connects to LAN and ed1
connects to
adsl modem. I use user ppp to setup the connection to the isp who
assigns
dynamic ip address to the tun0 interface. I have no ip address
assigned to
ed1. I have traffc coming in through the tun0 from outside  to the
LAN. Which
of the interfaces do I use to block unwanted traffic from the
internet.- ed1
or tun0? How do I configure the tun0 interface for the firewall
since I do
not know the interface address before hand? Secondly which interface
do I
place natd?
If anyone has configured adsl with dynamic ip address assigned to
tun0 I will
like to have some info about how it was configured with ipfw.
regds
ed
--
email: dwamenae@gco.apana.org.au

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"