firewall settings and dhcpd
Christoph P. Kukulies
kuku at kukulies.org
Sun Apr 25 23:53:58 PDT 2004
On Sun, Apr 25, 2004 at 12:44:52PM +0100, Lewis Thompson wrote:
> On Sun, Apr 25, 2004 at 01:33:22PM +0200, Christoph Kukulies wrote:
> > I'm getting this in my log/messages:
> >
> > Apr 25 13:25:42 mybox dhcpd: send_packet: Permission denied
> >
> > Could it be that a certain firewall setting or something missing
> > would be causing this?
>
> Possibly. It might be worth including some details of your current
> firewall settings.
Thanks. Here goes:
[Ss][Ii][Mm][Pp][Ll][Ee])
############
# This is a prototype setup for a simple firewall. Configure this
# machine as a DNS and NTP server, and point all the machines
# on the inside at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="tun0"
onet=" 213.146.112.0"
omask="255.255.255.0"
oip=" 213.146.112.180"
# set these to your inside interface network and netmask and ip
iif="ed0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"
wiif="wi0"
winet="192.168.254.0"
wimask="255.255.255.0"
wiip="192.168.254.1"
setup_loopback
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
# +++ neu!
${fwcmd} add pass tcp from any to ${iip} 53 setup
${fwcmd} add pass udp from any to ${iip} 53
${fwcmd} add pass udp from ${iip} 53 to any
${fwcmd} add pass tcp from any to ${wiip} 53 setup
${fwcmd} add pass udp from any to ${wiip} 53
${fwcmd} add pass udp from ${wiip} 53 to any
# ---
${fwcmd} add pass tcp from 133.227.4.12 to ${oip} 22
${fwcmd} add pass tcp from 133.227.7.0/24 to ${oip} 22
${fwcmd} add pass tcp from 133.227.8.0/24 to ${oip} 22
${fwcmd} add pass tcp from 61.172.141.65 to ${oip} 22
${fwcmd} add allow icmp from any to any icmptype 0,3,8,11,12
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80,443 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
--
Chris Christoph P. U. Kukulies kuku_at_kukulies.org
More information about the freebsd-questions
mailing list