Problem with firewall
Jayton Garnett
jay at codegurus.org
Sat Oct 22 17:18:05 PDT 2005
Andy Rozman (Aleksander) wrote:
>Hi !
>
>I am sorry to post this message here, but I think that there are a lot of
>gurus here, who could help me without a problem.
>
>Tilll now I was running ipfw with rule that allows all packets (from kernel)
>to pass through. In last few weeks I started having problems, since I got
>quite a lot of packets that server accepted by default.
>
>So I removed this kernel directive out, but now I have problem, that I don't
>know how to set rules. I have on my FreeBSD box two NICs, one for outside
>internet, and one for internal network, so I am using this machine as router,
>and as web server,...
>
>Problem is that I don't know how to set the rules so that ipfw will allow all
>directives from inside network to go out, and receive replies. Please send me
>working config. I tried several configs I found on net, but none of them seem
>to work... It would probably also be nice to put one working natd + ipfw
>confguration somewhere in handbook.
>
>Please help.
>Andy
>
>P.S: I applied for memebership to list, but I don't know how fast this will be
>procesed, so please cc to my email.
>
>
Hello Andy,
Last night I faced a similar problem since ndiscvt on fbsd 5.4 64bit
would not procude the required ndis_driver_data.h
file for my wifi card, ndiscvt produced it on fbsd 5.4 x86, so a friend
helped me out and I kind of understand what you need.
I didn't get mine working because i'm too impatient and my internet
connection went down for a few minutes,
in that time I dug out my hub/cat5 patch cables and ran them to my
router instead of going something like this:
Main PC --> Gateway --> Router --> Internet
It now goes like this (and so does the rest of the network):
Main PC --> Router --> Internet
Presuming you are using a cable modem with no router in between it and
your server/router.
Hope it works for you!
Cheers,
Jayton
in your /etc/rc.conf you should have something like this:
gateway_enable="YES"
hostname="yourdomain.com"
ifconfig_rl0="DHCP"
ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0"
defaultrouter="192.168.0.1"
# firewall stuff
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_quiet="NO"
firewall_flags=""
# natd stuff
natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
in your /etc/natd.conf
interface rl0
redirect_port tcp 192.168.0.3:2090 2090
redirect_port tcp 192.168.0.3:2091 2091
redirect_port tcp 192.168.0.3:2092 2092
redirect_port tcp 192.168.0.3:2093 2093
redirect_port tcp 192.168.0.3:2094 2094
redirect_port tcp 192.168.0.3:2095 2095
redirect_port udp 192.168.0.3:2090 2090
redirect_port udp 192.168.0.3:2091 2091
redirect_port udp 192.168.0.3:2092 2092
redirect_port udp 192.168.0.3:2093 2093
redirect_port udp 192.168.0.3:2094 2094
redirect_port udp 192.168.0.3:2095 2095
redirect_port tcp 192.168.0.3:2000 2000
redirect_port tcp 192.168.0.3:2001 2001
redirect_port tcp 192.168.0.3:2002 2002
redirect_port tcp 192.168.0.3:2003 2003
redirect_port tcp 192.168.0.3:2004 2004
redirect_port udp 192.168.0.3:2000 2000
redirect_port udp 192.168.0.3:2001 2001
redirect_port udp 192.168.0.3:2002 2002
redirect_port udp 192.168.0.3:2003 2003
redirect_port udp 192.168.0.3:2004 2004
in your /etc/rc.firewall in /etc if it does not exist and add this in
and see what happens
#!/bin/sh
# Set rules command prefix
# The -q option on the command is for quite mode.
# Do not display rules as they load. Remove during development to see.
fwcmd="/sbin/ipfw"
# set these to your outside interface network and netmask and ip
oif="rl0"
iif="rl1"
inet="192.168.0.2"
imask="255.255.255.0"
iip="192.168.0.2"
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
############
# mandatory
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
# exempt everything behind the firewall from this rules set
$fwcmd add pass ip from any to any via sis1 # allow all internal traffic
#turn on statefull firewall
${fwcmd} add check-state
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
$fwcmd add allow tcp from any to any established
# Deny IP fragments to pass through
#${fwcmd} add deny all from any to any frag
################################################################################
# allow outoing connexions to specified TCP
ports #
################################################################################
#allow everything
${fwcmd} add pass tcp from any to any 1-65535 out via ${oif} setup
keep-state
${fwcmd} add pass udp from any to any 1-65535 out via ${oif} setup
keep-state
# Allow setup of http to the outside
${fwcmd} add pass tcp from any to any 80 out via ${oif} setup keep-state
# Allow setup of ssh to the outside
${fwcmd} add pass tcp from any to any 22 out via ${oif} setup keep-state
# Allow setup of CVSUP to the outside
${fwcmd} add allow tcp from any to any 5999 out via ${oif} setup keep-state
# Allow GRE (IPSEC)
${fwcmd} add pass gre from any to any keep-state
# Allow setup of https to the outside
#${fwcmd} add pass tcp from any to any 443 out via ${oif} setup keep-state
# Allow setup of ftp to the outside
${fwcmd} add pass tcp from any to any 21 out via ${oif} setup keep-state
#${fwcmd} add pass tcp from any to any 49152-65535 out via ${oif} setup
keep-state
# Allow setup of pop to the outside (my isp 1)
${fwcmd} add pass tcp from any to any 110 out via ${oif} setup keep-state
# Allow setup of smtp to the outside (isp 1)
${fwcmd} add pass tcp from any to any 25 out via ${oif} setup keep-state
# Allow setup of news to the outside
${fwcmd} add pass tcp from any to any 119 out via ${oif} setup keep-state
# Allow setup of time to the outside
${fwcmd} add pass tcp from any to any 37 out via ${oif} setup keep-state
# Allow DNS queries out to my ISP's DNSs
${fwcmd} add pass udp from any to any 53 out via ${oif} keep-state
# Allow answers to DNS queries from my ISP
${fwcmd} add pass udp from any 53 to any in via ${oif} keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${oif} keep-state
# Allow answers to NTP queries from my NTP server
${fwcmd} add pass udp from any 123 to any 123 in via ${oif} keep-state
################################################################################
# allow incoming connections from the internet to those specified
ports #
################################################################################
# Allow access to our SSH server (which also listens on 443)
${fwcmd} add pass log tcp from any to me 22 in via ${oif} setup keep-state
${fwcmd} add pass log tcp from any to me 119 in via ${oif} setup keep-state
#Allow access to ftp server (passive mode) from the internet
$fwcmd add allow tcp from any to me 21 in via ${oif} keep-state
$fwcmd add allow tcp from any to me 20 in via ${oif} keep-state
$fwcmd add allow tcp from any to me 49152-65535 in via ${oif} keep-state
# Allow access to our httpd
$fwcmd add allow tcp from any to me 80 in via ${oif} keep-state
$fwcmd add allow tcp from any to me 8080 in via ${oif} keep-state
#Allow access to pop and sendmail
$fwcmd add allow tcp from any to me 25 in via ${oif} keep-state
$fwcmd add allow tcp from any to me 110 in via ${oif} keep-state
#allow ident requests
$fwcmd add allow tcp from any to me 113 in via ${oif} keep-state
################################################################################
# default to catch all the
rest #
################################################################################
# Stop & log spoofing Attack attempts.
# Examine incoming traffic for packets with both a source and destination
# IP address in my local domain as per CIAC prevention alert.
$fwcmd add deny log ip from me to me in via $oif
# Reject peer-to-peer traffic incoming connections without logging
${fwcmd} add deny tcp from any to any 137-139 in via ${oif}
${fwcmd} add deny tcp from any to any 3306 in via ${oif}
${fwcmd} add deny tcp from any to any 6000 in via ${oif}
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Reject&Log all incoming datagrams from the outside
${fwcmd} add deny log tcp from any to any in via ${oif}
# Stop & log ping echo attacks
# stop echo reply (ICMP type 0), and echo request (type 8).
$fwcmd add deny log icmp from any to me in via $oif
More information about the freebsd-net
mailing list