Date: Wed, 31 Jul 2002 22:07:59 -0400 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "FBIPFW" <freebsd-ipfw@freebsd.org> Subject: natd & keep-state Message-ID: <MIEPLLIBMLEEABPDBIEGKEBMCHAA.barbish@a1poweruser.com>
next in thread | raw e-mail | index | archive | help
IPFW list members Advanced Stateful extensions were introduced in FBSD 4.0. When they first can out I changed my ipfw rules from stateless and simple stateful to using only Advanced Stateful rules for my user ppp -nat ISP connection. The ipfw rule set that works with user ppp -nat is posted below. I have tried to get this same rules file to function exchanging user ppp -nat for ipfw natd. There was always problems with natd ip address and the dynamic rules table getting mismatches so I went back to user ppp -nat. Every new version of FBSD I would try again to use natd hopping there may have been some fixes to natd, but no such luck. Each new version still failed. Each time I would post questions to the FBSD questions list, but most of the replies were from people who were having the same problems with natd and keep-state rules that I was. Well now I am forced to address the problem again because I now have cable access to the internet and I can no longer use the -nat function of user ppp. So this time I joined this ipfw list hoping my post will be read by a larger group of people who have an very technical understanding of IPFW/NATD and the Advanced Stateful extensions check-state / keep-state who will be able to Provide a solution or come to the realization that there is a bug that needs fixing. The following posted rules are the rules file that works just fine using user ppp -nat. As you can see it is very basic but demonstrates the logic flow of only allowing selected functions to be started for access to the public internet and selected functions originating from the public internet to be started for access to the local network. To use these rules for NATD I change xif="tun0" to xif="rl0" which is the Nic card cabled to the cable modem. odns1 & odns2 to the ip address of the cable providers dns servers. And add the $cmd 200 divert natd all from any to any via $xif as rule number 200 so it gets positioned before the check-state statement. The positioning of the divert statement is patterned after the /etc/rc.firewall sample. Be assured that the rc.conf and kernel options are in place to activate NATD. I an now using FBSD version 4.6. I have read and reread the ipfw man pages until I an blue in the face. I am not a newbe to FBSD or IPFW and post this in hopes of achieving a real solution in the way of a working ipfw/natd rules file based on my rules file below. I have chosen functions which should be easy for you to test on your own systems. Thanks for your help in this matter Joe # Flush out the list before we begin. /sbin/ipfw -q -f flush # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. #cmd="/sbin/ipfw -q add" cmd="/sbin/ipfw add" # Set defaults # set these to your external interface network xif="tun0" odns1="218.216.115.111" # ISP's dns server 1 IP address odns2="218.216.115.112" # ISP's dns server 2 IP address # Set these to your inside interface network iif="xl0" # Nic card # Internal gateway housekeeping $cmd 100 allow all from any to any via lo0 # allow all localhost $cmd 150 deny all from any to 127.0.0.0/8 # deny use of localhost IP $cmd 160 deny all from 127.0.0.0/8 to any # deny use of localhost IP $cmd 180 allow all from any to any via $iif # allow all local LAN ######## control section ############################################ $cmd 500 check-state # Deny & log all fragments as bogus packets $cmd 502 deny log all from any to any frag via $xif # Deny & log ACK packets that did not match the dynamic rule table $cmd 501 deny log tcp from any to any established via $xif ######## outbound section ########################################### # Interrogate packets originating from behind the firewall, private net. # Upon a rule match, it's keep-state option will create a dynamic rule. # Allow out www function $cmd 600 allow tcp from any to any 80 out via $xif setup keep-state # Allow out access to my ISP's Domain name server. $cmd 610 allow tcp from any to $odns1 53 out via $xif setup keep-state $cmd 611 allow udp from any to $odns1 53 out via $xif keep-state $cmd 615 allow tcp from any to $odns2 53 out via $xif setup keep-state $cmd 616 allow udp from any to $odns2 53 out via $xif keep-state # Allow out send & get email function $cmd 630 allow tcp from any to any 25,110 out via $xif setup keep-state # Allow out & in FBSD (make install & CVSUP) functions # Basically give user id root "GOD" privileges. $cmd 640 allow tcp from me to any out via $xif setup keep-state uid root # Allow out ping $cmd 650 allow icmp from any to any out via $xif keep-state # Allow out TELNET $cmd 660 allow tcp from any to any 23 out via $xif setup keep-state ############ passive FTP rules for LAN PC FTP to public Internet ###### # Allow passive FTP control channel 21 & data high ports $cmd 700 allow tcp from any to any 21 out via $xif setup keep-state $cmd 710 allow tcp from any to any 10000-65000 out via $xif setup keep-state ##### End of passive FTP rules for LAN PC FTP to public Internet ###### ######## inbound section ############################################ # Allow in www $cmd 800 allow tcp from any to any 80 in via $xif setup limit src-addr 4 # Allow in ssh function $cmd 820 allow log tcp from any to me 22 in via $xif setup limit src-addr 4 # Allow in Telnet $cmd 830 allow tcp from any to any 23 in via $xif setup limit src-addr 4 #$cmd 830 allow tcp from any to any 23 in via $xif setup keep-state ######## catch all section ############################################ # Stop & log external redirect requests. $cmd 845 deny log icmp from any to any icmptype 5 in via $xif # Stop & log spoofing Attack attempts. $cmd 850 deny log ip from me to me in via $xif # Stop & log ping echo attacks # stop echo reply (ICMP type 0), and echo request (type 8). $cmd 860 deny log icmp from any to me icmptype 0,8 in via $xif # Reject & Log all setup of incoming connections from the outside $cmd 900 deny log tcp from any to any setup in via $xif # Everything else is denied by default # deny and log all packets that fall through to see what they are $cmd 910 deny log logamount 500 all from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKEBMCHAA.barbish>