Issues with configuring IPFW for NAT setup
Garrett Cooper
youshi10 at u.washington.edu
Fri Sep 29 01:28:43 PDT 2006
I'm trying to configure a lightweight router/gateway just to block
bad SMTP requests; many virii/spyware apps on Windoze boxes on my
network have forced our ISP to almost shut us down more than once now
because people don't know how to manage their machines =\.
The problem with my config is that all that's going through the NAT
machine are ICMP packets (?!). Weird..
Anyhow, here's the ipfw configuration so far:
#!/bin/sh
# comment the line below and uncomment the line following that if you
just want to test the rule output
cmd_flags="-f"
#cmd_flags="-n"
cmd="ipfw $cmd_flags"
cmd_a="$cmd add"
cmd_d="$cmd del"
ks="keep-state"
# just macros to simplify typing/reading
fata="from any to any"
aafat="allow all from any to"
daf="deny all from"
dafat="$daf any to"
prif="fxp0"
puif="xl0"
# trusted subnet
tsu="192.168.1.0/24"
# untrusted subnet
usu="192.168.0.0/24"
bad_ports="81, 113, 137-139, 445, 901, 1026, 1433-1434, 1900, 2283,
2869, 3389, 5000, 8080" # IRC IDENT, HTTP, Sun RPC ports, uPnP
ports, RDP ports, etc
virus_ports="1080, 2283, 2535, 2745, 3127-3198, 3410, 5554, 8866,
9898" # See /root/ports.html for a short list
with explanations
$cmd -f flush
$cmd_a 001 $aafat any via lo*
$cmd_a 050 divert natd ip from any to me in via $puif # Properly direct
all incoming NAT redirects
$cmd_a 081 $daf 172.16.0.0/12 to any # reserved IPs
$cmd_a 082 $daf 10.0.0.0/8 to any # reserved IPs
$cmd_a 083 $daf 127.0.0.0/8 to any # loopback
$cmd_a 084 $daf 0.0.0.0/8 to any # broadcast
$cmd_a 085 $daf 169.254.0.0/16 to any # auto-DHCP
$cmd_a 086 deny tcp from 224.0.0.0/3 to any # deny multicast TCP support
# private subnet firewall rules -- allow incoming SSH, HTTP, and HTTP-SSL
$cmd_a 160 allow all from any to me 22, 68-69, 80, 443 via $prif
# public SSH rules
$cmd_a 170 allow all from any to me 22 via $puif
$cmd_a 171 deny all from any to me 22, 68-69, 80, 443 via $puif
# SMTP rules -- basically allow SMTP traffic on port 25 to UW, Comcast,
and Earthlink clients; block the rest to prevent mass spamming
$cmd_a 200 $aafat smtp.washington.edu 25 out via $puif
$cmd_a 201 $aafat smtp.comcast.net 25 out via $puif
$cmd_a 202 $aafat smtp.earthlink.net 25 out via $puif
$cmd_a 203 $dafat any 25 out via $puif
$cmd_a 400 $dafat any $bad_ports, $virus_ports via $puif
# deny any TCP traffic trying to be forwarded on ports 10000-65535.
Don't block UDP since MSN and other services like to randomly allocate
ports in this range for UDP use.
$cmd_a 401 deny tcp $fata 10000-65535
$cmd_a 600 divert natd all from $tsu to any out via $puif # For outbound
NAT translation
$cmd_a 605 deny all from $usu to not me via $prif
$cmd_a 611 allow all $fata
Some additional helpful information:
FreeBSD router:
su-2.05b# uname -a
FreeBSD hummer.localdomain 6.1-RELEASE-p5 FreeBSD 6.1-RELEASE-p5 #10:
Wed Sep 27 00:17:54 PDT 2006
root at hummer.localdomain:/usr/obj/usr/src/sys/HUMMER i386
su-2.05b# sysctl -n net.inet.ip.forwarding
1
Another interesting thing is that it appears that I've totally
screwed up my TCP configuration or something (or firewalled a bunch of
ports), so my machine cannot access the outside world (even from
localhost). The only thing that appears to be working is DNS resolving.. =\.
My routing tables:
su-2.05b# netstat -r -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGS 0 2389 xl0
localhost localhost UH 0 2 lo0
192.168.0 link#2 UC 0 0 xl0
192.168.0.1 00:09:5b:56:c4:b4 UHLW 2 0 xl0 1175
hoover 00:0a:e6:47:73:c7 UHLW 1 2 xl0 957
sprsd 00:e0:7d:f7:6e:2e UHLW 1 16281 xl0 1117
192.168.1 link#1 UC 0 0 fxp0
192.168.1.1 00:a0:c9:5e:ba:2d UHLW 1 0 lo0
192.168.1.224 00:11:24:2f:15:bc UHLW 1 51 fxp0 306
My static routes in /etc/rc.conf:
#..snip..
#Route defs
static_routes="router tsu usu"
#static_routes="usu"
route_router="-net 0.0.0.0 192.168.0.1"
route_usu="-net 192.168.0.0/24 192.168.0.1"
route_tsu="-net 192.168.1.0/24 192.168.1.1"
#..end snip..
Ping example of DNS resolving working:
su-2.05b# ping -c 3 google.com
PING google.com (64.233.187.99): 56 data bytes
64 bytes from 64.233.187.99: icmp_seq=0 ttl=246 time=84.567 ms
64 bytes from 64.233.187.99: icmp_seq=1 ttl=246 time=107.181 ms
64 bytes from 64.233.187.99: icmp_seq=2 ttl=246 time=84.443 ms
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 84.443/92.064/107.181/10.690 ms
su-2.05b#
IPFIREWALL sections of kernel config:
su-2.05b# grep IPFIREWALL /root/HUMMER
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPFIREWALL_DEFAULT_TO_ACCEPT
Anyone have an idea of what I'm doing wrong in this case?
Thanks!
-Garrett
More information about the freebsd-questions
mailing list