Question for ipf setting on single NIC box
Michael Lee(HINET)
kuniaki.lee at msa.hinet.net
Wed Sep 24 02:04:32 PDT 2003
Hi Tom,
Thanks for your reply.
My connection for the single NIC FreeBSD Box ( previously worked fine ) ,
the ethernet switch, DSL Modem, and the internal network is as follow:
( I am sorry that I cannot draw it well. )
---------------
| FreeBSD Box |
| ipf,ipnat |
| runs here |
de0_alias0 ---------------
=192.168.1.0/24 (int.) | de0 = aaa.bbb.ccc.ddd/24 ( ext. )
(* de0 =12.168.1.0/24) | (* tun0 = dynamically assigned )
|
--------------- ---------------
| Switch |---------| DSL Modem | --------- Telephone Line
| | | |
--------------- ---------------
| |
| |-------------------
| |
--------------- ---------------
| Windows 2000| |other PC |
| | | |
--------------- ---------------
IP = 192.168.1.10 IP=192.168.1.11
(assigned by DHCPD ) (assigned by DHCPD)
* Previously, I used ppp & ipnat, ipf for dialup link to ISP
It was OK to set filtering rules for tun0 for ipf.rules
The ipf run perfectly and filter the unwanted packets then.
My previous ipf.rules
block in on tun0 all
block in quick on tun0 from 0.0.0.0/7 to any
block in quick on tun0 from 2.0.0.0/8 to any
block in quick on tun0 from 5.0.0.0/8 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 23.0.0.0/8 to any
block in quick on tun0 from 27.0.0.0/8 to any
block in quick on tun0 from 31.0.0.0/8 to any
block in quick on tun0 from 70.0.0.0/7 to any
block in quick on tun0 from 72.0.0.0/5 to any
block in quick on tun0 from 83.0.0.0/8 to any
block in quick on tun0 from 84.0.0.0/6 to any
block in quick on tun0 from 88.0.0.0/5 to any
block in quick on tun0 from 96.0.0.0/3 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 128.0.0.0/16 to any
block in quick on tun0 from 128.66.0.0/16 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 191.255.0.0/16 to any
block in quick on tun0 from 192.0.0.0/19 to any
block in quick on tun0 from 192.0.48.0/20 to any
block in quick on tun0 from 192.0.64.0/18 to any
block in quick on tun0 from 192.0.128.0/17 to any
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 197.0.0.0/8 to any
block in quick on tun0 from 201.0.0.0/8 to any
block in quick on tun0 from 204.152.64.0/23 to any
block in quick on tun0 from 219.0.0.0/8 to any
block in quick on tun0 from 220.0.0.0/6 to any
block in quick on tun0 from 224.0.0.0/3 to any
block in quick on tun0 from 192.168.1.0/24 to any
# Your pass rules come here...
pass in quick all
block out on tun0 all
block out quick on tun0 from !192.168.1.0/24 to any
block out quick on tun0 from 192.168.1.0/24 to 0.0.0.0/7
block out quick on tun0 from 192.168.1.0/24 to 2.0.0.0/8
block out quick on tun0 from 192.168.1.0/24 to 5.0.0.0/8
block out quick on tun0 from 192.168.1.0/24 to 10.0.0.0/8
block out quick on tun0 from 192.168.1.0/24 to 23.0.0.0/8
block out quick on tun0 from 192.168.1.0/24 to 27.0.0.0/8
block out quick on tun0 from 192.168.1.0/24 to 31.0.0.0/8
block out quick on tun0 from 192.168.1.0/24 to 70.0.0.0/7
block out quick on tun0 from 192.168.1.0/24 to 72.0.0.0/5
block out quick on tun0 from 192.168.1.0/24 to 83.0.0.0/8
block out quick on tun0 from 192.168.1.0/24 to 84.0.0.0/6
block out quick on tun0 from 192.168.1.0/24 to 88.0.0.0/5
block out quick on tun0 from 192.168.1.0/24 to 96.0.0.0/3
block out quick on tun0 from 192.168.1.0/24 to 127.0.0.0/8
block out quick on tun0 from 192.168.1.0/24 to 128.0.0.0/16
block out quick on tun0 from 192.168.1.0/24 to 128.66.0.0/16
block out quick on tun0 from 192.168.1.0/24 to 169.254.0.0/16
block out quick on tun0 from 192.168.1.0/24 to 172.16.0.0/12
block out quick on tun0 from 192.168.1.0/24 to 191.255.0.0/16
block out quick on tun0 from 192.168.1.0/24 to 192.0.0.0/19
block out quick on tun0 from 192.168.1.0/24 to 192.0.48.0/20
block out quick on tun0 from 192.168.1.0/24 to 192.0.64.0/18
block out quick on tun0 from 192.168.1.0/24 to 192.0.128.0/17
block out quick on tun0 from 192.168.1.0/24 to 192.168.0.0/16
block out quick on tun0 from 192.168.1.0/24 to 197.0.0.0/8
block out quick on tun0 from 192.168.1.0/24 to 201.0.0.0/8
block out quick on tun0 from 192.168.1.0/24 to 204.152.64.0/23
block out quick on tun0 from 192.168.1.0/24 to 219.0.0.0/8
block out quick on tun0 from 192.168.1.0/24 to 220.0.0.0/6
block out quick on tun0 from 192.168.1.0/24 to 224.0.0.0/3
# Your pass rules come here...
pass out quick all
Of course, I substitute tun0 for de0 ( my new outside interface )
but ipf seems to block every packets no matter it is destined
for de0_alias0 ( my internal interface ) or to the ext. interface (de0)
Thank you again!
Michael
----- Original Message -----
From: "Thomas Spreng" <spreng at socket.ch>
To: <freebsd-questions at freebsd.org>
Sent: Wednesday, September 24, 2003 4:03 PM
Subject: Re: Question for ipf setting on single NIC box
> Hello,
>
> On Wed, Sep 24, 2003 at 03:38:11PM +0800, Michael Lee(HINET) wrote:
> > Hi all,
> >
> > I only have a NIC on my FreeBSD Box.
> >
> > Here is my configuration:
> > ifconfig de0 aaa.bbb.ccc.ddd netmask 255.255.255.0 ( My External
Interface )
> > ifconfig de0_alias0 192.168.1.254 netmask 255.255.255.0 ( My Virtual
> > Internal Interface )
>
> beware...de_alias0 is not a network interface, its just an alias.
>
> > and this is the result shown for ifconfig -L
> >
> > de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > inet aaa.bbb.ccc.ddd netmask 0xffffff00 broadcast
aaa.bbb.ccc.255
> > inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255
> > ether 00:80:c8:f6:7b:c7
> > media: Ethernet autoselect (100baseTX <full-duplex>)
> > status: active
> >
> > ( aaa.bbb.ccc.ddd is the static IP I got from the ISP )
> >
> > Everything seems OK to me that the NIC binds the virtual IP.
> >
> > The question is that while configuring ipf.rules and ipnat.rules
> > ( Originally, I use tun0 as the external interface for ppp dialup.
> > It is OK to set the ipf rules to block the incoming and outgoing packet
> > through tun0. )
> > But now I switched to static IP DSL and I failed to configure the de0
( ext.
> > if )
> > while applying the following rules:
> >
> > block in quick on de0 from 192.168.0.0/16 to any
> > block out quick on de0 from 192.168.0.0/16 to any
>
> this will block all traffic from your de0 alias ip to anywhere else and
all
> traffic from 192.168.0.0/16 to either your real inet address or to your
> alias.
>
> > After applying the above rules, ipf seems to block the packet on
de0_alias0.
> > DHCPD cannot even send out packet to the local subnet ( 192.168.1.0/24 )
> > ( ipf block all traffic that should be block in the outside interface )
>
> ipf is supposed to block that because you blocked all traffic from
> 192.168.0.0/16 which includes 192.168.1.0/24. The alias and the real
> inet have the same interface name, that is 'de0'.
> But can you tell me where that local subnet is attached if you only have
> one nic in your box?
>
> > I can only add pass in quick all and pass out quick all now or the
traffic
> > will be completely blocked .
> > However, to add only pass in quick all and pass out quick all seems not
a
> > good idea for the firewall.
> >
> > Is there anyway to solve the problem ? Or if I wrongly configure ipf ?
>
> if you need more help, please tell exactly what and where do you want to
> bock/allow the traffic and how your network layout looks like.
>
> cheers,
> tom
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list