Port Forwarding

Rishi Chopra rchopra at cal.berkeley.edu
Mon Jan 19 12:59:39 PST 2004 

What I want to do:  (1) Change firewall type from 'OPEN' to 'SIMPLE' and 
(2) Forward ports 412 and 5800 to my Win2k box.

What I have:  The setup is pictured below. 
IPFIREWALL_DEFAULT_TO_ACCEPT, IPDIVERT and IPFILTER are all enabled in 
my kernel config file,  are also enabled.  Rule-of-thumb advice about 
"how best to secure a network" is not necessary in this case (the Win2k 
box has its own firewall installed (ZoneAlarm) and I already know too 
much about security).

ISP          FreeBSD Gateway        Win2k Box

>----------rl0--------------rl1-------------------<
ALL        DHCP     192.168.0.1     192.168.0.2

The problem:  When I chenge the firewall type to SIMPLE from OPEN, the 
Win2k box can no longer query DNS and pings to the 192.168.0.1 address 
do not work.  With the firewall type set to OPEN, there are no problems 
whatsoever.  I am also new to the IPFW syntax.

What I would like to know is: (1) the syntax for forwarding incomming 
connections from rl0 to rl1 (and ultimately to 192.168.0.2) and (2) 
whether the syntax for allowing connections to the outside network (such 
as DNS) is correct and if some other problem is preventing the win2k box 
from querying DNS when SIMPLE is enabled.

Here's the rc.conf file:

gateway_enable="YES"
hostname="usha.dyndns.org"
ifconfig_rl0="DHCP"
ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0"
kern_securelevel_enable="NO"
firewall_enable="YES"
firewall_type="OPEN"
# firewall_type="SIMPLE"
firewall_quiet="NO"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
linux_enable="YES"
sendmail_enable="NO"
sshd_enable="YES"

Here's the rc.firewall file, with comments trimmed for formatting:

[Ss][Ii][Mm][Pp][Ll][Ee])
         ############

         # set these to your outside interface network and netmask and ip
         oif="rl0"
         omask="255.255.255.0"
         oip="me"

         # set these to your inside interface network and netmask and ip
         iif="rl1"
         inet="192.168.0.1"
         imask="255.255.255.0"
         iip="192.168.0.1"

         setup_loopback

         # Stop spoofing
         ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
         ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

         # Stop RFC1918 nets on the outside interface
         ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
         ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
         ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

         # Stop draft-manning-dsua-03.txt (1 May 2000) nets
         ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
         ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
         ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
         ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
         ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

         # Network Address Translation.
         # match the `deny' rule below.
         case ${natd_enable} in
         [Yy][Ee][Ss])
                 if [ -n "${natd_interface}" ]; then
                         ${fwcmd} add divert natd all from any to any
via ${natd_interface}
                 fi
                 ;;
         esac

         # Stop RFC1918 nets on the outside interface
         ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
         ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
         ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

         # Stop draft-manning-dsua-03.txt (1 May 2000) nets
         ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
         ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
         ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
         ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
         ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

         # Allow TCP through if setup succeeded
         ${fwcmd} add pass tcp from any to any established

         # Allow IP fragments to pass through
         ${fwcmd} add pass all from any to any frag

         # Allow setup of incoming email
         ${fwcmd} add pass tcp from any to ${oip} 25 setup

         # Allow access to our DNS
         ${fwcmd} add pass tcp from any to ${oip} 53 setup
         ${fwcmd} add pass udp from any to ${oip} 53
         ${fwcmd} add pass udp from ${oip} 53 to any

         # Allow access to our WWW
         ${fwcmd} add pass tcp from any to ${oip} 80 setup

         # Reject&Log all setup of incoming connections from the outside
         ${fwcmd} add deny log tcp from any to any in via ${oif} setup

         # Allow setup of any other TCP connection
         ${fwcmd} add pass tcp from any to any setup

         # Allow DNS queries out in the world
         ${fwcmd} add pass udp from ${oip} to any 53 keep-state

         # Allow NTP queries out in the world
         ${fwcmd} add pass udp from ${oip} to any 123 keep-state

         # Pass VNC and DC++ connections to 192.168.0.2
         # ${fwcmd} add pass tcp from $oip to 192.168.0.2 412 setup
         # ${fwcmd} add pass tcp from $oip to 192.168.0.2 1412 setup
         # ${fwcmd} add pass tcp from $oip to 192.168.0.2 5800 setup

         # Everything else is denied by default, unless the
         # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
         # config file.
         ;;

-- 
Rishi Chopra
http://www.ocf.berkeley.edu/~rchopra

More information about the freebsd-questions mailing list