firewall settings and dhcpd

Christoph P. Kukulies kuku at kukulies.org
Sun Apr 25 23:53:58 PDT 2004 

On Sun, Apr 25, 2004 at 12:44:52PM +0100, Lewis Thompson wrote:
> On Sun, Apr 25, 2004 at 01:33:22PM +0200, Christoph Kukulies wrote:
> > I'm getting this in my log/messages:
> > 
> > Apr 25 13:25:42 mybox dhcpd: send_packet: Permission denied
> > 
> > Could it be that a certain firewall setting or something missing
> > would be causing this?
> 
> Possibly.  It might be worth including some details of your current
> firewall settings.

Thanks. Here goes:

[Ss][Ii][Mm][Pp][Ll][Ee])
	############
	# This is a prototype setup for a simple firewall.  Configure this
	# machine as a DNS and NTP server, and point all the machines
	# on the inside at this machine for those services.
	############

	# set these to your outside interface network and netmask and ip
	oif="tun0"
	onet=" 213.146.112.0"
	omask="255.255.255.0"
	oip=" 213.146.112.180"

	# set these to your inside interface network and netmask and ip
	iif="ed0"
	inet="192.168.0.0"
	imask="255.255.255.0"
	iip="192.168.0.1"

	wiif="wi0"
	winet="192.168.254.0"
	wimask="255.255.255.0"
	wiip="192.168.254.1"
	setup_loopback

	# Stop spoofing
	${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
	${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

	# Stop RFC1918 nets on the outside interface
	${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
	${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
	${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
	# on the outside interface
	${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
	${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
	${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
	${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
	${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

	# Network Address Translation.  This rule is placed here deliberately
	# so that it does not interfere with the surrounding address-checking
	# rules.  If for example one of your internal LAN machines had its IP
	# address set to 192.0.2.1 then an incoming packet for it after being
	# translated by natd(8) would match the `deny' rule above.  Similarly
	# an outgoing packet originated from it before being translated would
	# match the `deny' rule below.
	case ${natd_enable} in
	[Yy][Ee][Ss])
		if [ -n "${natd_interface}" ]; then
			${fwcmd} add divert natd all from any to any via ${natd_interface}
		fi
		;;
	esac

	# Stop RFC1918 nets on the outside interface
	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
	${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
	# on the outside interface
	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
	${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
	${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
	${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
	${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

	# Allow TCP through if setup succeeded
	${fwcmd} add pass tcp from any to any established

	# Allow IP fragments to pass through
	${fwcmd} add pass all from any to any frag

	# Allow setup of incoming email
	${fwcmd} add pass tcp from any to ${oip} 25 setup

	# Allow access to our DNS
	${fwcmd} add pass tcp from any to ${oip} 53 setup
	${fwcmd} add pass udp from any to ${oip} 53
	${fwcmd} add pass udp from ${oip} 53 to any
# +++ neu!
	${fwcmd} add pass tcp from any to ${iip} 53 setup
	${fwcmd} add pass udp from any to ${iip} 53
	${fwcmd} add pass udp from ${iip} 53 to any
	${fwcmd} add pass tcp from any to ${wiip} 53 setup
	${fwcmd} add pass udp from any to ${wiip} 53
	${fwcmd} add pass udp from ${wiip} 53 to any
# ---

	${fwcmd} add pass tcp from 133.227.4.12 to ${oip} 22
	${fwcmd} add pass tcp from 133.227.7.0/24 to ${oip} 22
	${fwcmd} add pass tcp from 133.227.8.0/24 to ${oip} 22
	${fwcmd} add pass tcp from 61.172.141.65 to ${oip} 22
  
        ${fwcmd} add allow icmp from any to any icmptype 0,3,8,11,12


	# Allow access to our WWW
	${fwcmd} add pass tcp from any to ${oip} 80,443 setup

	# Reject&Log all setup of incoming connections from the outside
	${fwcmd} add deny log tcp from any to any in via ${oif} setup

	# Allow setup of any other TCP connection
	${fwcmd} add pass tcp from any to any setup

	# Allow DNS queries out in the world
	${fwcmd} add pass udp from ${oip} to any 53 keep-state

	# Allow NTP queries out in the world
	${fwcmd} add pass udp from ${oip} to any 123 keep-state

	# Everything else is denied by default, unless the
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
	# config file.
	;;

--
Chris Christoph P. U. Kukulies kuku_at_kukulies.org

More information about the freebsd-questions mailing list