Date: Wed, 03 Feb 1999 09:06:50 +1100 From: Andrew Johns <A_Johns@TurnAround.com.au> To: chemtechweb@psn.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Firewall rules Message-ID: <36B776F9.F35B0706@TurnAround.com.au> References: <36B6E626.2C67786A@psn.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Emmanuel Gravel wrote:
> I've been trying to setup a firewall. I barely modified the simple
> ruleset (just changed the IP addresses and interfaces). I have a
> few computers connected on an internal LAN. The FreeBSD machine will
> serve as a gateway. I set up the oip to a bogus address since I don't
> know how to set it up to a dynamically allocated address (if someone
> could tell me how, I'd appreciate it :)
>
> My problem, however, isn't the oif or oip (not for now at least). I've
> been trying to ping out to my LAN and get a permission denied. I try
> to ping in from the LAN and don't get a response. I try connecting to
> the named server from the LAN and don't get anything either. Only
> the FreeBSD machine has access to the web server, no others. They
> don't even really know the machine exists, except for the fact that
> I set it as the primary name server on the NIC. I'd also like to get
> SAMBA to be useful (I've already set up the scripts, all I need is to
> open up the connection to the LAN while keeping it closed to the world).
> I' also like to use Exceed on the LAN (Win98 machines) therefore I need
> to have X opened to the LAN and closed to the world.
>
> Here are my firewall rules:
>
> oif="tun0"
> onet="222.168.0.0"
> omask="255.255.255.0"
> oip="222.168.0.11"
> iif="ep0"
> inet="192.168.0.0"
> imask="255.255.255.0"
> iip="192.168.0.11"
>
> $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
> $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
> $fwcmd add pass tcp from any to any established
> $fwcmd add pass tcp from any to ${oip} 25 setup
> $fwcmd add pass tcp from any to ${oip} 53 setup
> $fwcmd add pass tcp from any to ${oip} 80 setup
> $fwcmd add deny log tcp from any to any in via ${oif} setup
> $fwcmd add pass tcp from any to any setup
> $fwcmd add pass udp from any 53 to ${oip}
> $fwcmd add pass udp from ${oip} to any 53
> $fwcmd add pass udp from any 123 to ${oip}
> $fwcmd add pass udp from ${oip} to any 123
>
> I've tried to understand why my machine is still so closed, but nothing
> seems to work (mind you it's also very late and my mind is mush, but
> I should have at least understood why it's not open to simple tasks
> with these rules). I'm sure I need to add more rules, I just don't know
> how to formulate them properly yet.
>
> BTW, this is FreeBSD R 2.2.7 straight off of CD's, and I do have Greg's
> book, and have looked through the pages on how to setup the firewall,
> but no more than that and the man pages for docs on ipfw.
>
> Thanks,
>
> Manu
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
This is not an answer per se but it can prove useful - add another rule just
before the final (default) one that throws everything away to log those
packets, thus:
$fwcmd add 65500 deny log all from any to any
Then when you ttry and ping you'll see log entries on the console indicating
exactly _what_ is about to be thrown away by the default rule. If you still
don't see anything when using ping, for example, then the packets are being
dropped by rules previous to that one - try enabling logging on those too.
You will prob want to set the log limit to something before trying this,
else the console will be rather busy scrolling....see the examples in
/etc/rc.firewall.
HTH
--
Regards
Andrew Johns
TurnAround Solutions Pty Ltd
http://www.turnaround.com.au/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36B776F9.F35B0706>