Issues with configuring IPFW for NAT setup

Garrett Cooper youshi10 at u.washington.edu
Fri Sep 29 01:28:43 PDT 2006


    I'm trying to configure a lightweight router/gateway just to block 
bad SMTP requests; many virii/spyware apps on Windoze boxes on my 
network have forced our ISP to almost shut us down more than once now 
because people don't know how to manage their machines =\.
    The problem with my config is that all that's going through the NAT 
machine are ICMP packets (?!). Weird..
    Anyhow, here's the ipfw configuration so far:

#!/bin/sh

# comment the line below and uncomment the line following that if you 
just want to test the rule output
cmd_flags="-f"
#cmd_flags="-n"
cmd="ipfw $cmd_flags"
cmd_a="$cmd add"
cmd_d="$cmd del"
ks="keep-state"

# just macros to simplify typing/reading
fata="from any to any"
aafat="allow all from any to"
daf="deny all from"
dafat="$daf any to"

prif="fxp0"
puif="xl0"

# trusted subnet
tsu="192.168.1.0/24"
# untrusted subnet
usu="192.168.0.0/24"

bad_ports="81, 113, 137-139, 445, 901, 1026, 1433-1434, 1900, 2283, 
2869, 3389, 5000, 8080"     # IRC IDENT, HTTP, Sun RPC ports, uPnP 
ports, RDP ports, etc
virus_ports="1080, 2283, 2535, 2745, 3127-3198, 3410, 5554, 8866, 
9898"                         # See /root/ports.html for a short list 
with explanations

$cmd -f flush

$cmd_a 001 $aafat any via lo*

$cmd_a 050 divert natd ip from any to me in via $puif # Properly direct 
all incoming NAT redirects

$cmd_a 081 $daf 172.16.0.0/12 to any # reserved IPs
$cmd_a 082 $daf 10.0.0.0/8 to any # reserved IPs
$cmd_a 083 $daf 127.0.0.0/8 to any # loopback
$cmd_a 084 $daf 0.0.0.0/8 to any # broadcast
$cmd_a 085 $daf 169.254.0.0/16 to any # auto-DHCP
$cmd_a 086 deny tcp from 224.0.0.0/3 to any # deny multicast TCP support

# private subnet firewall rules -- allow incoming SSH, HTTP, and HTTP-SSL
$cmd_a 160 allow all from any to me 22, 68-69, 80, 443 via $prif

# public SSH rules
$cmd_a 170 allow all from any to me 22 via $puif
$cmd_a 171 deny all from any to me 22, 68-69, 80, 443 via $puif

# SMTP rules -- basically allow SMTP traffic on port 25 to UW, Comcast, 
and Earthlink clients; block the rest to prevent mass spamming       
$cmd_a 200 $aafat smtp.washington.edu 25 out via $puif
$cmd_a 201 $aafat smtp.comcast.net 25 out via $puif
$cmd_a 202 $aafat smtp.earthlink.net 25 out via $puif
$cmd_a 203 $dafat any 25 out via $puif

$cmd_a 400 $dafat any $bad_ports, $virus_ports via $puif
# deny any TCP traffic trying to be forwarded on ports 10000-65535. 
Don't block UDP since MSN and other services like to randomly allocate 
ports in this range for UDP use.
$cmd_a 401 deny tcp $fata 10000-65535

$cmd_a 600 divert natd all from $tsu to any out via $puif # For outbound 
NAT translation

$cmd_a 605 deny all from $usu to not me via $prif

$cmd_a 611 allow all $fata

Some additional helpful information:

FreeBSD router:
su-2.05b# uname -a
FreeBSD hummer.localdomain 6.1-RELEASE-p5 FreeBSD 6.1-RELEASE-p5 #10: 
Wed Sep 27 00:17:54 PDT 2006     
root at hummer.localdomain:/usr/obj/usr/src/sys/HUMMER  i386
su-2.05b# sysctl -n net.inet.ip.forwarding
1

    Another interesting thing is that it appears that I've totally 
screwed up my TCP configuration or something (or firewalled a bunch of 
ports), so my machine cannot access the outside world (even from 
localhost). The only thing that appears to be working is DNS resolving.. =\.

My routing tables:

su-2.05b# netstat -r -f inet
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.1        UGS         0     2389    xl0
localhost          localhost          UH          0        2    lo0
192.168.0          link#2             UC          0        0    xl0
192.168.0.1        00:09:5b:56:c4:b4  UHLW        2        0    xl0   1175
hoover             00:0a:e6:47:73:c7  UHLW        1        2    xl0    957
sprsd              00:e0:7d:f7:6e:2e  UHLW        1    16281    xl0   1117
192.168.1          link#1             UC          0        0   fxp0
192.168.1.1        00:a0:c9:5e:ba:2d  UHLW        1        0    lo0
192.168.1.224      00:11:24:2f:15:bc  UHLW        1       51   fxp0    306

    My static routes in /etc/rc.conf:

#..snip..

#Route defs
static_routes="router tsu usu"
#static_routes="usu"
route_router="-net 0.0.0.0 192.168.0.1"
route_usu="-net 192.168.0.0/24 192.168.0.1"
route_tsu="-net 192.168.1.0/24 192.168.1.1"

#..end snip..

    Ping example of DNS resolving working:

su-2.05b# ping -c 3 google.com
PING google.com (64.233.187.99): 56 data bytes
64 bytes from 64.233.187.99: icmp_seq=0 ttl=246 time=84.567 ms
64 bytes from 64.233.187.99: icmp_seq=1 ttl=246 time=107.181 ms
64 bytes from 64.233.187.99: icmp_seq=2 ttl=246 time=84.443 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 84.443/92.064/107.181/10.690 ms
su-2.05b#

    IPFIREWALL sections of kernel config:

su-2.05b# grep IPFIREWALL /root/HUMMER
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=5
options         IPFIREWALL_DEFAULT_TO_ACCEPT

    Anyone have an idea of what I'm doing wrong in this case?
    Thanks!
-Garrett


More information about the freebsd-questions mailing list