Date: 23 Nov 99 09:16:28 EST From: Tom parquette <tparquet@netscape.net> To: freebsd-questions@freebsd.org Subject: Stumped setting up NATD and firewall support Message-ID: <19991123141628.9875.qmail@wwcst088.netaddress.usa.net>
next in thread | raw e-mail | index | archive | help
Hi,
I'm new to FreeBSD and I have not worked with UNIX before so I've had som=
e
sucesses and lots of learning experiences. NATD now has me sumped.
I am trying to convince my wife and talk my manager into allowing me to
replace the company provided analog phone line with Road Runner. Before =
I
can comfortably do that, I want to put up a firewall/NATD machine. In o=
ther
words, protect my infant home network.
Before someone says something, all of the hardware and networks described=
do
not leave my den. I'm using the 24.0.0.0 network because I know Time War=
ner
uses it in this area and I want to simulate the production environment.
Test environment:
I have my initial FreeBSD machine (called Upstream) simulating the road =
Runner network (address 24.0.0.1), connected via a 10base-T crossover
cable to my firewall/NATD machine, called Cerberus, which has DHCPC runni=
ng
on the ep0 interface. Upstream is running DHCPS and correctly assigns
24.0.0.11 as the IP address. Pings in both directions work as expected.
On the 'inside' of my firewall I have two 10Base-2 segments.
192.168.0.0/255.255.255.224 (ep1) and 192.168.0.32/255.255.255.224 (ep2).=
The ep1 and ep2 interfaces are set up for DHCPS. Both segments assign
addresses as expected and pings in both directions work as expected. (I =
can
only test with my OS/2 Warp V4 laptop due to lack of PCs. In other words=
, I
cannot ping from an address on ep1 to an address on ep2.) For the rest o=
f
this example I will use 192.168.0.11 as the laptop address.
=46rom my laptop I can ping 192.168.0.1 (Cerberus' ep1) and I can ping
24.0.0.11 (Cerberus' DHCP assigned ep0 address.) I cannot ping 'Upstream=
'
unless I manually add a route to 192.168.0.0 using 24.0.0.11 as the next =
hop.
Once I manually add the route, pings work in both directions.
All of this is done with NATD active and the firewall set to 'open'.
The problem:
All the pings are rejected with the firewall set to 'simple'. I already =
know
I have rules that I have to work on. My goal right now is to get the NAT=
D
code working. Based on my work to date, it appears that NATD is not chan=
ging
the IP addresses. (e.g. Having to manually add the 192.160.0.0 route.)
I have reviewed IP aliasing in V3 of The Complete FreeBSD and the NATD ma=
n
page. I also searched the web site and I didn't find anything that helpe=
d
me.
No errors appear in /var/log/messages and /etc/alias.log is empty. When =
I
issue natd -verbose -config /etc/natd.conf from root's command line, noth=
ing
is displayed. When I allow the rc scripts to bring the machine up, somet=
hing
flashes by that looks like it might be command syntax (similar to the
response you get sometimes when you mumblefinger a command line parm.) I=
t
goes by too fast to read. Again, nothing appears in the logs that I can
find.
I'm attaching what I believe to be all the associated files.
Any help would be appreciated.
Cheers...
Tom
*** Start of configuration files ***
My /ETC/NATD.CONF file:
# /etc/natd.conf
log yes
deny_incoming yes
log_denied yes
dynamic yes
interface ep0
My /ETC/RC.FIREWALL file:
# /etc/rc.firewall
if [ -f /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
elif [ -f /etc/rc.conf ]; then
. /etc/rc.conf
fi
#
if [ "x$1" !=3D "x" ]; then
firewall_type=3D$1
fi
#
if [ "x$firewall_quiet" =3D "xYES" ]; then
fwcmd=3D"/sbin/ipfw -q"
else
fwcmd=3D"/sbin/ipfw"
fi
#
$fwcmd -f flush
#
if [ "X${natd_enable}" =3D X"YES" -a "X${natd_interface}" !=3D X"" ]; the=
n
$fwcmd add divert natd all from any to any via ${natd_interface}
fi
#
if [ "${firewall_type}" =3D "open" -o "${firewall_type}" =3D "OPEN" ]; th=
en
$fwcmd add 65000 pass all from any to any
elif [ "${firewall_type}" =3D "simple" ]; then
############
# This is a prototype setup for a simple firewall. Configure this ma=
chine
# as a named server and ntp server, and point all the machines on the=
inside
# at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif=3D"ep0"
onet=3D"24.0.0.0"
omask=3D"255.000.000.000"
oip=3D"10.0.0.11"
# set these to your inside interface network and netmask and ip
#
# ep1 (internal segment 1 (subnet 0))
iif1=3D"ep1"
inet1=3D"192.168.0.0"
imask1=3D"255.255.255.224"
iip1=3D"192.168.0.1"
#
# ep2 (internal segment 2 (subnet 1))
iif2=3D"ep2"
inet2=3D"192.168.0.32"
imask2=3D"255.255.255.224"
iip2=3D"192.168.0.33"
# Stop spoofing
$fwcmd add deny all from ${inet1}:${imask1} to any in via ${oif}
$fwcmd add deny all from ${inet2}:${imask2} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif1}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif2}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow setup of incoming email =
$fwcmd add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
$fwcmd add pass tcp from any to ${oip} 80 setup
# Reject & Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
# Everything else is denied as default.
elif [ "${firewall_type}" !=3D "UNKNOWN" -a -r "${firewall_type}" ]; then=
$fwcmd ${firewall_type}
fi
My /ETC/RC.CONF file:
# This file now contains just the overrides from /etc/defaults/rc.conf
# please make all changes to this file.
firewall_enable=3D"YES"
firewall_quiet=3D"YES"
firewall_type=3D"simple"
natd_enable=3D"NO"
natd_interface=3D"-config /etc/natd.conf"
gateway_enable=3D"YES"
nfs_client_enable=3D"YES"
network_interfaces=3D"ep1 ep2 lo0"
ifconfig_ep1=3D"inet 192.168.0.1 netmask 255.255.255.224"
ifconfig_ep2=3D"inet 192.168.0.34 netmask 255.255.255.224"
hostname=3D"Cerberus.Parquette.Baldwinsville.NY.US"
ntpdate_flags=3D"otc1.psu.edu"
ntpdate_enable=3D"NO"
sendmail_enable=3D"NO"
named_enable=3D"YES"
saver=3D"logo"
The output from a NETSTAT -RN command:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Ex=
pire
default 24.0.0.1 UGSc 13 0 ep0
24/24 link#2 UC 0 0 ep0
24.0.0.1 link#2 UHLW 14 38 ep0
localhost localhost UH 0 27 lo0
192.168/27 link#3 UC 0 0 ep1
192.168.0.32/27 link#4 UC 0 0 ep2
*** End of configuration files ***
"Do or do not. Is no Try"--Yoda. =
"Friends come and go but enemies accumulate."--me.
____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at http://webm=
ail.netscape.com.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991123141628.9875.qmail>