It is currently Wed, 20 Mar 2019 06:41:36 GMT



 
Author Message
 Still having IPFW trouble
Hey all,
    First I would like to thank the last people for helping me with a
similar problem.

    I am setting up a gateway/firewall to an internal win2k machine and the
thing will not behave. Running FreeBSD 4.3 STABLE. What I am trying to do is
basically to use all common programs on the win2k machine while using the
FreeBSD box as a gateway/firewall. I got it working at one time but it only
allowed be to browse on port 80, I need to be able to use mail and https as
well, ping and trace..from both machines. I have been to
http://www.**-**.com/
this below. I have also read man pages for natd and I am so new that it is
way over my head. Where am I going wrong? Any pointers would help
tremendously!

Here is the setup so far.....

vx0 is my NIC that connects to my DHCP vDSL (I have no modem, it is directly
from wall to NIC)
xl0 is the other NIC in the FreeBSD machine that connection to the win2k
machine.
I have a cross over cable connecting the FreeBSD box to the win2k (I have no
hub, don't want one)

I am using 172.16.0.x as the internal network addresses
Current ISP config is:
IP 130.13.133.193
Gateway 130.13.133.1
subnet 255.255.255.0
dns1 192.168.3.1
dns2 206.80.192.1

Here is my rc.conf file:

gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.ipfw"
firewall_type="open"
firewall_quiet="NO"
natd_program="/sbin/natd"
natd_enable="YES"
natd_interface="vx0"
natd_flags="-f /etc/natd.conf"
tcp_drop_synfin="YES"
tcp_restrict_rst="YES"
hostname="mike.st4tus.org"
inetd_enable=="YES"
kern_sercure_level_enable="NO"
linux_enable="YES"
moused_enable="YES"
saver="fire"
sendmail_enable="YES"
sshd_enable="YES"

My RC.IPFW file:

# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
        . /etc/defaults/rc.conf
        source_rc_confs
elif [ -r /etc/rc.conf ]; then
        . /etc/rc.conf
fi

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi

# Firewall program
fwcmd="/sbin/ipfw"

# Outside interface network and netmask and ip
oif="vx0"
onet="130.13.133.0"
omask="255.255.255.0"
oip="130.13.133.193"

# Inside interface network and netmask and ip
iif="xl0"
inet="172.16.0.0"
imask="255.255.255.0"
iip="172.16.0.1"

# My ISP's DNS servers
dns1="123.45.67.8"
dns2="98.76.54.123"

# Flush previous rules
${fwcmd} -f flush

# Allow loopbacks, deny imposters
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8

# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

# Network Address Translation.  This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules.  If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above.  Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via ${natd_interface}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

# Allow established connections with minimal overhead
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

### TCP RULES

# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 setup

# SMTP - Allow access to sendmail for incoming e-mail
${fwcmd} add pass tcp from any to any 25 setup

# FTP - Allow incoming data channel for outgoing connections,
# reject & log all incoming control connections
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup

# SSH Login - Allow & Log all incoming
${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup

# IDENT - Reset incoming connections
${fwcmd} add reset tcp from any to any 113 in via ${oif} setup

# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup

### UDP RULES

# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53
${fwcmd} add pass udp from any to ${dns2} 53
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any

# SMB - Allow local traffic
${fwcmd} add pass udp from any to any 137-139 via ${iif}

# SYSLOG - Allow machines on inside net to log to us.
${fwcmd} add pass log udp from any to any 514 via ${iif}

# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${oif}
${fwcmd} add pass udp from any 123 to any via ${iif}
${fwcmd} add pass udp from any to any 123 via ${iif}

# TRACEROUTE - Allow outgoing
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}

### ICMP RULES

# ICMP packets
# Allow all ICMP packets on internal interface
${fwcmd} add pass icmp from any to any via ${iif}

# Allow outgoing pings
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}

# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}

# Deny the rest of them
${fwcmd} add deny icmp from any to any

### MISCELLANEOUS REJECT RULES

# Reject broadcasts from outside interface
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}

# Reject&Log SMB connections on outside interface
${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}

# Reject&Log all other connections from outside interface
${fwcmd} add 65000 deny log ip from any to any via ${oif}

# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.

My /etc/natd file:

port 8668
alias_address 130.13.133.193

My /etc/natd.conf file:

dynamic yes
use_sockets yes
same_ports yes

Added these lines to a GENERIC kernel and compiled:

options     IPFIREWALL_VERBOSE   #print information about
                                 # dropped packets
options     "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
options     TCP_DROP_SYNFIN      #drop TCP packets with SYN+FIN
options     TCP_RESTRICT_RST     #restrict emission of TCP RST
options     "ICMP_BANDLIM"
options     IPFIREWALL           #firewall
options     IPDIVERT             #divert sockets

Thanks

Mike Margolies



 Mon, 22 Dec 2003 13:09:38 GMT   
 Still having IPFW trouble
Instead of routing web, ssl and passive ftp it would be easier to
setup an Apache, or Squid proxy server. That way you have the benefit
of the cache and are not routing so much. Any traffic you are routing
is huge hole. Route only what you absolutely have to.

http://www.apache.org
http://www.squid-cache.org

Nonetheless

1024:65535 -> 443 tcp SSL (keep-state)
1024:65535 -> 1024:65535 Passive tcp FTP (keep-state)
1024:65535 -> 20,21 tcp FTP (keep-state)

I don't allow traceroutes, so I don't remember
it off the top of my head

http://ichigou.hypermart.net/tech/firewall/fw_rcfirewall.html
(here is an example, I did not thoroughly check it
so your mileage may vary).

I don't recommend allowing a lot of ICMP, but that is
your call.

Good references are

Linux Firewalls
 by Robert Zeigler
Building Internet Firewalls (2nd Edition)
 by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman, Deborah Russell
Firewalls and Internet Security : Repelling the Wily Hacker
(Addison-Wesley
 Professional Computing Series)
 by William R. Cheswick, Steven M. Bellovin (Contributor)

I also noticed that you could benefit from using the keep-state
option in several places, I recommend this for any connection
in which you are acting as a client, tcp or udp, on your external
interface. A lot of rules have from any to any <port>, you probably
don't want to be so loose.

suppose you want to route to an external ssl server, for example

${fwcmd} add divert natd all from any to any via ${oif}
...
${fwcmd} add pass tcp from ${inet} 1024-65535 to any 443
${fwcmd} add pass tcp from any 443 to ${inet} 1024-65535
...
${fwcmd} add pass tcp from ${oip} 1024-65535 to any 443 via ${oif}
keep-state
...

read more »



 Tue, 23 Dec 2003 18:07:15 GMT   
 
   [ 2 post ] 

Similar Threads

1. HAving trouble setting up X [Trident Troubles]

2. Still having problems (IPFW)

3. Capture stills from JVC Video camera

4. Sony camera download stills...

5. ipfw troubles

6. Newbie having trouble connecting to ISP

7. HAving trouble getting xmms to play...

8. having trouble setting up soundblaster live on redhat 6.1

9. Having trouble running modem tool on server install

10. Linux having trouble with Athlon/Thunderdbird?


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software