now i'm trying to set up a gateway box using ipfw/natd. i have 2 test machines - machine 1 has two nics, one's an integrated intel 1000 pro, the other is an old pci 3com 3c905b. machine 1 has a static ip and hostname. machine 2 is virtually identical except it has only one nic - the intel 1000 pro integrated. machine 2 also has a static ip and hostname. i'd like machine 1 to act as a gateway/packet filtering firewall/natd box. i'd like to hook up machine 2 to the internal network interface card of machine 1 and be able to filter/log/divert packets bound for machine 2 through ipfw/natd on machine 1.
i've been basically following the instructions at http://www.mostgraveconcern.com/freebsd/ for 'setting up a dual-homed host' - on machine 1, ifconfig returns xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=3<rxcsum,txcsum> inet 129.x.x.35 netmask 0xffffff00 broadcast 129.x.x.255 inet6 fe80::210:5aff:fec6:8bcb%xl0 prefixlen 64 scopeid 0x1 ether 00:10:5a:c6:8b:cb media: Ethernet autoselect (100baseTX <full-duplex> ) status: active xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=3<rxcsum,txcsum> inet 10.20.155.1 netmask 0xffffff00 broadcast 10.20.155.255 inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2 ether 00:06:5b:80:98:5b media: Ethernet autoselect (none) status: no carrier i'd like xl0 to be my external nic, and xl1 to be my internal nic -on machine 1, my /etc/rc.conf reads ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0" ifconfig_xl1="inet 10.20.155.1 netmask 255.255.255.0" gateway_enable="YES" #required for ipfw support firewall_enable="YES" firewall_script="/etc/rc.ipfw" firewall_type="open" firewall_quiet="NO" #change to yes once happy with rules firewall_logging_enable="YES" #extra firewalling options log_in_vain="YES" tcp_drop_synfin="YES" icmp_drop_redirect="YES" natd_program="/sbin/natd" natd_enable="YES" natd_interface="xl0" natd_flags="-f /etc/natd.conf" - machine 1's kernel has been recompiled with the following options #to enable ipfirewall with default to deny all packets options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 #to hide the firewall from traceroute options IPSTEALTH options IPDIVERT #to hide from nmap options TCP_DROP_SYNFIN - machine's firewall_script, /etc/rc.ipfw, is taken from the tutorial mostly verbatim, the only part of it i changed was # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi # Firewall program fwcmd="/sbin/ipfw" # Outside interface network and netmask and ip oif="xl0" onet="129.x.x.1" omask="255.255.255.0" oip="129.x.x.35" # Inside interface network and netmask and ip iif="xl1" inet="10.20.155.0" imask="255.255.255.0" iip="10.20.155.1" # My ISP's DNS servers dns1="129.x.x.1" dns2="165.x.x.21" # Flush previous rules ${fwcmd} -f flush # Allow loopbacks, deny imposters ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. ${fwcmd} add divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow established connections with minimal overhead ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag ### TCP RULES # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup # SMTP - Allow access to sendmail for incoming e-mail ${fwcmd} add pass tcp from any to any 25 setup # FTP - Allow incoming data channel for outgoing connections, # reject & log all incoming control connections ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup ### UDP RULES # DNS - Allow queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 ${fwcmd} add pass udp from any to ${dns2} 53 ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any # SMB - Allow local traffic ${fwcmd} add pass udp from any to any 137-139 via ${iif} # SYSLOG - Allow machines on inside net to log to us. ${fwcmd} add pass log udp from any to any 514 via ${iif} # NTP - Allow queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${oif} ${fwcmd} add pass udp from any 123 to any via ${iif} ${fwcmd} add pass udp from any to any 123 via ${iif} # TRACEROUTE - Allow outgoing ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface ${fwcmd} add pass icmp from any to any via ${iif} # Allow outgoing pings ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add deny icmp from any to any ### MISCELLANEOUS REJECT RULES # Reject broadcasts from outside interface ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} # Reject&Log SMB connections on outside interface ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} # Reject&Log all other connections from outside interface ${fwcmd} add 65000 deny log ip from any to any via ${oif} # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. - i've run an ethernet cable from xl1 - integrated intel 1000 pro nic on machine 1 - to machine 2's nic. i've edited machine 2's /etc/rc.conf so that it points to the internal nic - xl1 on machine 1 as it's default gateway: <snip> defaultrouter="10.20.155.1" hostname="machine2.hostname.com" ifconfig_xl0="inet 129.x.x.20 netmask 255.255.255.0" <snip> at the moment, it's not working. on machine 2, i can't ping www.freebsd.org - i get 'hostname lookup failure', i can't ping xl0 - external nic on machine 1 - ping 129.x.x.35 gives me a 'host is down message' machine 2 can ping it's own static ip successfully - ping 129.x.x.20 works machine 2 can ping its own hostname successfully - ping machine2.hostname.com works sorry if this is long, i've been messing with this all day and i think i'm doing it right. can you guys tell if i'm missing something obvious? thanks
msg15615/pgp00000.pgp
Description: PGP signature
