Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 31 Jul 2002 22:07:59 -0400
From:      "Joe & Fhe Barbish" <barbish@a1poweruser.com>
To:        "FBIPFW" <freebsd-ipfw@freebsd.org>
Subject:   natd & keep-state
Message-ID:  <MIEPLLIBMLEEABPDBIEGKEBMCHAA.barbish@a1poweruser.com>

Next in thread | Raw E-Mail | Index | Archive | Help
IPFW list members

Advanced Stateful extensions were introduced in FBSD 4.0. When they
first can out I changed my ipfw rules from stateless and simple
stateful to using only Advanced Stateful rules for my user
ppp -nat ISP connection. The ipfw rule set that works with user
ppp -nat is posted below. I have tried to get this same rules file to
function exchanging user ppp -nat for ipfw natd. There was always
problems with natd ip address and the dynamic rules table getting
mismatches so I went back to user ppp -nat. Every new version of FBSD
I would try again to use natd hopping there may have been some fixes
to natd, but no such luck. Each new version still failed. Each time I
would post questions to the FBSD questions list, but most of the
replies were from people who were having the same problems with natd
and keep-state rules that I was. Well now I am forced to address the
problem again because I now have cable access to the internet and I
can no longer use the -nat function of user ppp. So this time I joined
this ipfw list hoping my post will be read by a larger group of people
who have an very technical understanding of IPFW/NATD and the Advanced
Stateful extensions check-state / keep-state who will be able to
Provide a solution or come to the realization that there is a bug
that needs fixing.

The following posted rules are the rules file that works just fine
using user ppp -nat. As you can see it is very basic but demonstrates
the logic flow of only allowing selected functions to be started for
access to the public internet and selected functions originating from
the public internet to be started for access to the local network.

To use these rules for NATD I change xif="tun0" to xif="rl0" which is
the Nic card cabled to the cable modem. odns1 & odns2 to the ip address
of the cable providers dns servers.

And add the   $cmd 200 divert natd all from any to any via $xif
as rule number 200 so it gets positioned before the check-state
statement. The positioning of the divert statement is patterned after
the /etc/rc.firewall sample.

Be assured that the rc.conf and kernel options are in place to activate
NATD. I an now using FBSD version 4.6.

I have read and reread the ipfw man pages until I an blue in the face.
I am not a newbe to FBSD or IPFW and post this in hopes of achieving a
real solution in the way of a working ipfw/natd rules file based on
my rules file below. I have chosen functions which should be easy for
you to test on your own systems.

Thanks for your help in this matter

Joe



# Flush out the list before we begin.
/sbin/ipfw -q -f flush

# Set rules command prefix
# The -q option on the command is for quite mode.
# Do not display rules as they load. Remove during development to see.
#cmd="/sbin/ipfw -q add"
cmd="/sbin/ipfw add"

# Set defaults
# set these to your external interface network

xif="tun0"
odns1="218.216.115.111"      # ISP's dns server 1 IP address
odns2="218.216.115.112"      # ISP's dns server 2 IP address

# Set these to your inside interface network
iif="xl0"                  # Nic card

# Internal gateway housekeeping
$cmd 100 allow all from any to any via lo0  # allow all localhost
$cmd 150 deny  all from any to 127.0.0.0/8  # deny use of localhost IP
$cmd 160 deny  all from 127.0.0.0/8 to any  # deny use of localhost IP

$cmd 180 allow all from any to any via $iif   # allow all local LAN




########  control section  ############################################

$cmd 500 check-state

# Deny & log all fragments as bogus packets
$cmd 502 deny log all from any to any frag via $xif

# Deny & log ACK packets that did not match the dynamic rule table
$cmd 501 deny log tcp from any to any established via $xif


########  outbound section  ###########################################
# Interrogate packets originating from behind the firewall, private net.
# Upon a rule match, it's keep-state option will create a dynamic rule.

# Allow out www function
$cmd 600 allow tcp  from any to any 80  out via $xif setup keep-state

# Allow out access to my ISP's Domain name server.
$cmd 610 allow tcp  from any to $odns1 53 out via $xif setup keep-state
$cmd 611 allow udp  from any to $odns1 53 out via $xif keep-state
$cmd 615 allow tcp  from any to $odns2 53 out via $xif setup keep-state
$cmd 616 allow udp  from any to $odns2 53 out via $xif keep-state

# Allow out send & get email function
$cmd 630 allow tcp from any to any 25,110 out via $xif setup keep-state

# Allow out & in FBSD (make install & CVSUP)  functions
# Basically give user id root  "GOD"  privileges.
$cmd 640 allow tcp from me to any out via $xif setup keep-state uid root

# Allow out ping
$cmd 650 allow icmp from any to any   out via $xif keep-state

# Allow out TELNET
$cmd 660 allow tcp  from any to any 23    out via $xif setup keep-state

############ passive FTP rules for LAN PC FTP to public Internet ######
# Allow passive FTP control channel 21 & data high ports
$cmd 700 allow tcp from any to any 21  out via $xif setup keep-state
$cmd 710 allow tcp from any to any 10000-65000 out via $xif setup keep-state
##### End of passive FTP rules for LAN PC FTP to public Internet ######


########  inbound section  ############################################

# Allow in www
$cmd 800 allow tcp from any to any 80 in via $xif setup limit src-addr 4

# Allow in ssh function
$cmd 820 allow log tcp from any to me 22 in via $xif setup limit src-addr 4

# Allow in Telnet
$cmd 830 allow tcp from any to any 23 in via $xif setup limit src-addr 4
#$cmd 830 allow tcp from any to any 23 in via $xif setup keep-state

########  catch all section  ############################################

# Stop & log external redirect requests.
$cmd 845 deny log icmp from any to any icmptype 5  in via $xif

# Stop & log spoofing Attack attempts.
$cmd 850 deny log ip from me to me  in via $xif

# Stop & log ping echo attacks
# stop echo reply (ICMP type 0), and echo request (type 8).
$cmd 860 deny log icmp from any to me icmptype 0,8  in via $xif

# Reject & Log all setup of incoming connections from the outside
$cmd 900 deny log tcp from any to any setup in via $xif

# Everything else is denied by default
# deny and log all packets that fall through to see what they are
$cmd 910 deny log logamount 500 all from any to any










To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKEBMCHAA.barbish>