Date: 23 Nov 99 09:16:28 EST From: Tom parquette <tparquet@netscape.net> To: freebsd-questions@freebsd.org Subject: Stumped setting up NATD and firewall support Message-ID: <19991123141628.9875.qmail@wwcst088.netaddress.usa.net>
next in thread | raw e-mail | index | archive | help
Hi, I'm new to FreeBSD and I have not worked with UNIX before so I've had som= e sucesses and lots of learning experiences. NATD now has me sumped. I am trying to convince my wife and talk my manager into allowing me to replace the company provided analog phone line with Road Runner. Before = I can comfortably do that, I want to put up a firewall/NATD machine. In o= ther words, protect my infant home network. Before someone says something, all of the hardware and networks described= do not leave my den. I'm using the 24.0.0.0 network because I know Time War= ner uses it in this area and I want to simulate the production environment. Test environment: I have my initial FreeBSD machine (called Upstream) simulating the road = Runner network (address 24.0.0.1), connected via a 10base-T crossover cable to my firewall/NATD machine, called Cerberus, which has DHCPC runni= ng on the ep0 interface. Upstream is running DHCPS and correctly assigns 24.0.0.11 as the IP address. Pings in both directions work as expected. On the 'inside' of my firewall I have two 10Base-2 segments. 192.168.0.0/255.255.255.224 (ep1) and 192.168.0.32/255.255.255.224 (ep2).= The ep1 and ep2 interfaces are set up for DHCPS. Both segments assign addresses as expected and pings in both directions work as expected. (I = can only test with my OS/2 Warp V4 laptop due to lack of PCs. In other words= , I cannot ping from an address on ep1 to an address on ep2.) For the rest o= f this example I will use 192.168.0.11 as the laptop address. =46rom my laptop I can ping 192.168.0.1 (Cerberus' ep1) and I can ping 24.0.0.11 (Cerberus' DHCP assigned ep0 address.) I cannot ping 'Upstream= ' unless I manually add a route to 192.168.0.0 using 24.0.0.11 as the next = hop. Once I manually add the route, pings work in both directions. All of this is done with NATD active and the firewall set to 'open'. The problem: All the pings are rejected with the firewall set to 'simple'. I already = know I have rules that I have to work on. My goal right now is to get the NAT= D code working. Based on my work to date, it appears that NATD is not chan= ging the IP addresses. (e.g. Having to manually add the 192.160.0.0 route.) I have reviewed IP aliasing in V3 of The Complete FreeBSD and the NATD ma= n page. I also searched the web site and I didn't find anything that helpe= d me. No errors appear in /var/log/messages and /etc/alias.log is empty. When = I issue natd -verbose -config /etc/natd.conf from root's command line, noth= ing is displayed. When I allow the rc scripts to bring the machine up, somet= hing flashes by that looks like it might be command syntax (similar to the response you get sometimes when you mumblefinger a command line parm.) I= t goes by too fast to read. Again, nothing appears in the logs that I can find. I'm attaching what I believe to be all the associated files. Any help would be appreciated. Cheers... Tom *** Start of configuration files *** My /ETC/NATD.CONF file: # /etc/natd.conf log yes deny_incoming yes log_denied yes dynamic yes interface ep0 My /ETC/RC.FIREWALL file: # /etc/rc.firewall if [ -f /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf elif [ -f /etc/rc.conf ]; then . /etc/rc.conf fi # if [ "x$1" !=3D "x" ]; then firewall_type=3D$1 fi # if [ "x$firewall_quiet" =3D "xYES" ]; then fwcmd=3D"/sbin/ipfw -q" else fwcmd=3D"/sbin/ipfw" fi # $fwcmd -f flush # if [ "X${natd_enable}" =3D X"YES" -a "X${natd_interface}" !=3D X"" ]; the= n $fwcmd add divert natd all from any to any via ${natd_interface} fi # if [ "${firewall_type}" =3D "open" -o "${firewall_type}" =3D "OPEN" ]; th= en $fwcmd add 65000 pass all from any to any elif [ "${firewall_type}" =3D "simple" ]; then ############ # This is a prototype setup for a simple firewall. Configure this ma= chine # as a named server and ntp server, and point all the machines on the= inside # at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif=3D"ep0" onet=3D"24.0.0.0" omask=3D"255.000.000.000" oip=3D"10.0.0.11" # set these to your inside interface network and netmask and ip # # ep1 (internal segment 1 (subnet 0)) iif1=3D"ep1" inet1=3D"192.168.0.0" imask1=3D"255.255.255.224" iip1=3D"192.168.0.1" # # ep2 (internal segment 2 (subnet 1)) iif2=3D"ep2" inet2=3D"192.168.0.32" imask2=3D"255.255.255.224" iip2=3D"192.168.0.33" # Stop spoofing $fwcmd add deny all from ${inet1}:${imask1} to any in via ${oif} $fwcmd add deny all from ${inet2}:${imask2} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif1} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif2} # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow setup of incoming email = $fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW $fwcmd add pass tcp from any to ${oip} 80 setup # Reject & Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. elif [ "${firewall_type}" !=3D "UNKNOWN" -a -r "${firewall_type}" ]; then= $fwcmd ${firewall_type} fi My /ETC/RC.CONF file: # This file now contains just the overrides from /etc/defaults/rc.conf # please make all changes to this file. firewall_enable=3D"YES" firewall_quiet=3D"YES" firewall_type=3D"simple" natd_enable=3D"NO" natd_interface=3D"-config /etc/natd.conf" gateway_enable=3D"YES" nfs_client_enable=3D"YES" network_interfaces=3D"ep1 ep2 lo0" ifconfig_ep1=3D"inet 192.168.0.1 netmask 255.255.255.224" ifconfig_ep2=3D"inet 192.168.0.34 netmask 255.255.255.224" hostname=3D"Cerberus.Parquette.Baldwinsville.NY.US" ntpdate_flags=3D"otc1.psu.edu" ntpdate_enable=3D"NO" sendmail_enable=3D"NO" named_enable=3D"YES" saver=3D"logo" The output from a NETSTAT -RN command: Routing tables Internet: Destination Gateway Flags Refs Use Netif Ex= pire default 24.0.0.1 UGSc 13 0 ep0 24/24 link#2 UC 0 0 ep0 24.0.0.1 link#2 UHLW 14 38 ep0 localhost localhost UH 0 27 lo0 192.168/27 link#3 UC 0 0 ep1 192.168.0.32/27 link#4 UC 0 0 ep2 *** End of configuration files *** "Do or do not. Is no Try"--Yoda. = "Friends come and go but enemies accumulate."--me. ____________________________________________________________________ Get your own FREE, personal Netscape WebMail account today at http://webm= ail.netscape.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991123141628.9875.qmail>