Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 21 Jan 2004 18:52:34 +0000
From:      Marc Silver <marcs@draenor.org>
To:        Thomas Wolf <tw@wsf.at>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: dialup firewalling
Message-ID:  <20040121185234.GE70495@draenor.org>
In-Reply-To: <20040121162343.45gqrbzfytkwc@.mailhost.wsf.at>
References:  <20040121162343.45gqrbzfytkwc@.mailhost.wsf.at>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi guys,

Thanks very much.  You have all been fantastic, and a great help to me.
I've revised the document to use PPP NAT, and amended the ruleset as
below:

# Define the firewall command (as in /etc/rc.firewall) for easy
# reference.  Helps to make it easier to read.
fwcmd="/sbin/ipfw"

# Define our outside interface.  With userland-ppp this
# defaults to tun0.
oif="tun0"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Allow all connections that we initiate, and keep their state,
# but deny established connections that don't have a dynamic rule.
$fwcmd add check-state
$fwcmd add allow ip from me to any out via $oif keep-state
$fwcmd add deny tcp from any to any established in via $oif

# Allow internet users to connect to the port 22 and 80.
# This example specifically allows connections to the sshd and a
# webserver.
$fwcmd add allow tcp from any to me dst-port 22,80 in via $oif setup keep-state

# Allow ICMP packets: remove type 8 if you don't want your host
# to be pingable.
$fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12

# Deny and log all the rest.
$fwcmd add deny log ip from any to any

Does this ruleset look more correct and will it definitely work with
PPP's NAT?  Once again, thank you all very much and I look forward to
your replies.

Cheers,
Marc

On Wed, Jan 21, 2004 at 03:23:43PM -0000, Thomas Wolf wrote:
> 
> Marc Silver <marcs@draenor.org> schrieb:
> 
> > Hi guys and gals,
> > 
> > The short story:  I wrote an article a while back about dialup
> > firewalling with FreeBSD, and after an update was made to the article a
> > few months back by another individual it's been slightly broken.
> > 
> > I am currently working on fixing this document and get it more up to
> > date, and was hoping to run the following ruleset past all of you.  The
> > problem is mostly that I no longer have a dialup connection to test with
> > this, so I was hoping to ask opinions on whether or not the following
> > rulebase would work:
> > 
> > # Force a flushing of the current rules before we reload.
> > $fwcmd -f flush
> > 
> > # Divert all packets through the tunnel interface.
> > $fwcmd add divert natd all from any to any via tun0
> > 
> > # Allow all connections that we initiate, and keep their state,
> > # but deny established connections that don't have a dynamic rule.
> > $fwcmd add check-state
> > $fwcmd add allow ip from me to any keep-state
> > $fwcmd add deny tcp from any to any established
> > 
> > # Allow internet users to connect to the port 22 and 80 on my machine.
> > # This example specifically allows connections to the sshd and a
> > # webserver.
> > $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state
> > 
> > # Allow ICMP packets: remove type 8 if you don't want your host
> > # to be pingable.
> > $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
> > 
> > # Deny and log everything else.
> > $fwcmd add deny log ip from any to any
> > 
> > Now, if my knowledge of ipfw2 is correct, this should allow everything
> > out, and should only allow port 22 and 80 in.  It'll also allow ICMP.
> > Simple enough, but am I correct in my assumptions?
> 
> No, it will not work. keep-state rules and natd are difficult to handle.
> In your setup, traffic from a box in your lan ($lanclientip) with a 
> destination on the internet ($targetip), going via your gateway
> ($gatewayip) will be handled like this:
> 
> original packet: $lanclientip -> $targetip
> 
> on leaving the gateway, packets are going through the divert rule,
> now the packet has $gatewayip -> $targetip. The keep-state rule
> now creates a temporary rule for '$gatewayip <-> $targetip' and allows
> the packet out.
> 
> The response from $targetip gets 'natted first so when it reaches
> the check-state rule, it already has $targetip -> $lanclientip and
> will not match the temporary rule.
> 
> Thomas
> 
> --
> Thomas Wolf
> Wiener Software Fabrik
> Dubas u. Wolf GMBH
> 1050 Wien, Mittersteig 4

-- 
Success is never final. Failure is never fatal. It is courage that
counts.  
  -- Winston Churchill



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20040121185234.GE70495>