subject:"IPFW acting weird OR invalid ruleset\?"

RE: IPFW acting weird OR invalid ruleset?

2004-07-02 Thread Philip Payne

 
 steve,
  Yes everything else seems to work fine.  There are 
 currently 2 PCs
 with this issue.  1 is XP the other is Win2k.  This ruleset worked
 fine on FreeBSD 5.1, but I reformatted the box, and install 5.2.1
 uploaded the rc.firewall.rules and natd.conf files, since the network
 interfaces where the same I didn't really have to change anything.

Ok... so reading the ruleset the traffic will behave (referring to your
rc.firewall):

Outgoing FTP session is passed first by rule 04109 (with a keep-state) and
then by 61001 (without a keep-state). 

So, will the returning traffic get passed by the check-state on the way back
in?... I'm not sure, possibly. 

Also, funny that it works for 5.1 and not 5.2.1, which implies bugs.

The general consensus from my  Steve's response is we don't understand the
ruleset. Using skipto just to divert to natd and pass outgoing traffic does
seem overly complicated and I've not seen anyone else use that approach.
Maybe I am missing some advantage that it gives you. 

I figure you have two approaches to solve this:

1) If you want to debug the current ruleset add logging to the deny rules
and check where the traffic is being dropped. If it is the ruleset at fault
then the traffic MUST be being dropped by it on one of the rules.
Remember logging is your friend. 

Or

2) There may be some benefit to re-writing the ruleset in a format you
personally understand rather than using a template.

Your general approach to firewall ruleset should be:

a) First section contains any anti-spoofing and then rules to divert traffic
going via the outside interface to natd and to check-state
b) Second section to allow/deny traffic directly to the firewall. 
c) Then a section to allow the incoming services to your site. You should
then end this section with something like deny all traffic coming in via my
external interface as unless you specifically want the traffic you should
drop it
d) Then a section to permit the required traffic out from your site. You
should end this section with something like deny  log all traffic as if
you haven't specified it to pass, it shouldn't.

Then you can refine this approach by adding deny rules without logging to
only log what's required and pick up on traffic that you should be passing
but you are not.

I'm afraid it's very difficult to be specific on writing firewall policy as
it will be unique to your needs but I hope that general approach will help.

Tools like /usr/ports/security/fwbuilder (home www.fwbuilder.org) can help
in generating policy but the install features for IPFW are not quite
working. I have posted a script to help with this previously.

Thanks,
Phil.






 
 I found these rules on this website:
 
 http://www.lugbe.ch/lostfound/contrib/freebsd_router/
 
 here is the sample I used from the website:
 
 # be quiet and flush all rules on start
 -q flush
 
 # allow local traffic, deny RFC 1918 addresses on the outside
 add 00100 allow ip from any to any via lo0
 add 00110 deny ip from any to 127.0.0.0/8
 add 00120 deny ip from any to any not verrevpath in
 add 00301 deny ip from 10.0.0.0/8 to any in via ep0
 add 00302 deny ip from 172.16.0.0/12 to any in via ep0
 add 00303 deny ip from 192.168.0.0/16 to any in via ep0
 
 # check if incoming packets belong to a natted session, 
 allow through
 if yes
 add 01000 divert natd ip from any to me in via ep0
 add 01001 check-state
 
 # allow some traffic from the local net to the router
 # SSH
 add 04000 allow tcp from 192.168.1.0/24 to me dst-port 22 
 in via ep1
 setup keep-state
 # ICMP
 add 04001 allow icmp from 192.168.1.0/24 to me in via ep1
 # NTP
 add 04002 allow tcp from 192.168.1.0/24 to me dst-port 
 123 in via ep1
 setup keep-state
 add 04003 allow udp from 192.168.1.0/24 to me dst-port 
 123 in via ep1
 keep-state
 # DNS
 add 04006 allow udp from 192.168.1.0/24 to me dst-port 53 
 in via ep1
 
 # drop everything else
 add 04009 deny ip from 192.168.1.0/24 to me
 
 # pass outgoing packets (to be natted) on to a special NAT rule
 add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via ep1
 keep-state
 
 # allow all outgoing traffic from the router (maybe you 
 should be more
 restrictive)
 add 05010 allow ip from me to any out keep-state
 
 # drop everything that has come so far. This means it 
 doesn't belong
 to an
 established connection, don't log the most noisy scans.
 add 59998 deny icmp from any to me
 add 5 deny ip from any to me dst-port 135,137-139,445,4665
 add 6 deny log tcp from any to any established
 add 6 deny log ip from any to any
 
 # this is the NAT rule. Only outgoing packets from the 
 local net will
 come here.
 # First, nat them, then pass them on (again, you may 
 choose to be more
 restrictive)
 add 61000 divert natd ip from 192.168.1.0/24 to any out via ep0
 add 61001 allow ip from any to

IPFW acting weird OR invalid ruleset?

2004-06-29 Thread whizkid

Hey everyone.  Below is my natd.conf file and my rc.firewall.rule file. I
cannot figure it out, but if one of my machines that is behind my
Masqurading Firewall tries to d/l a file that is on a FTP site, it fails
to connect.

FreeBSD 5.2.1 machine with 2 nics.

xl0 outside Nic
fxp0 inside Nic

rc.conf:

# enable firewall
firewall_enable=YES
# set path to custom firewall config
firewall_type=/etc/fw/rc.firewall.rules
# be non-verbose? set to YES after testing
firewall_quiet=NO
# enable natd, the NAT daemon
natd_enable=YES
# which is the interface to the internet that we hide behind?
natd_interface=xl0
# flags for natd
natd_flags=-f /etc/fw/natd.conf


natd.conf:

unregistered_only
interface xl0
use_sockets
dynamic
# dyamically open fw for ftp, irc
punch_fw 2000:50


rc.firewall.rules:

# be quiet and flush all rules on start
-q flush

# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow ip from any to any via lo0
add 00110 deny ip from any to 127.0.0.0/8
add 00120 deny ip from any to any not verrevpath in
add 00301 deny ip from 10.0.0.0/8 to any in via xl0
add 00302 deny ip from 172.16.0.0/12 to any in via xl0
add 00303 deny ip from 192.168.0.0/16 to any in via xl0

# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd ip from any to me in via xl0
add 01001 check-state

# allow some traffic from the local net to the router
#SMTP
add 02000 allow tcp from any to any 25 setup keep-state

# SSH
add 04000 allow tcp from any to me dst-port 22 in via fxp0 setup keep-state
add 04001 allow tcp from any to me dst-port 22 in via xl0 setup keep-state

#IMAP-SSL
add 04010 allow tcp from any to me dst-port 143 in via fxp0 setup keep-state
add 04011 allow tcp from any to me dst-port 143 in via xl0 setup keep-state

# NTP
add 04020 allow tcp from any to me dst-port 123 in via fxp0 setup keep-state
add 04021 allow udp from any to me dst-port 123 in via fxp0 keep-state
add 04020 allow tcp from any to me dst-port 123 in via xl0 setup keep-state
add 04021 allow udp from any to me dst-port 123 in via xl0 keep-state

#webmin
add 04030 allow tcp from any to me dst-port 1 in via fxp0 setup
keep-state
add 04031 allow tcp from any to me dst-port 1 in via xl0 setup keep-state

#http
add 04040 allow tcp from any to me dst-port 80 in via fxp0 setup keep-state
add 04041 allow tcp from any to me dst-port 80 in via xl0 setup keep-state

# DNS
add 04050 allow udp from any to me dst-port 53 in via fxp0
add 04051 allow udp from any to me dst-port 53 in via xl0
add 04052 allow tcp from any to me dst-port 53 in via fxp0
add 04053 allow tcp from any to me dst-port 53 in via xl0

#POP
add 04060 allow tcp from any to me dst-port 110 in via fxp0 setup keep-state
add 04061 allow tcp from any to me dst-port 110 in via xl0 setup keep-state

#HTTPS
add 04070 allow tcp from any to me dst-port 443 in via fxp0 setup keep-state
add 04071 allow tcp from any to me dst-port 443 in via xl0 setup keep-state

#IMAPS
add 04080 allow tcp from any to me dst-port 993 in via fxp0 setup keep-state
add 04081 allow tcp from any to me dst-port 993 in via xl0 setup keep-state

# drop everything else
add 04090 deny ip from any to me

# pass outgoing packets (to be natted) on to a special NAT rule
add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via fxp0 keep-state

# allow all outgoing traffic from the router
add 05010 allow ip from me to any out keep-state

# drop everything that has come so far. This means it doesn't belong to an
# established connection, don't log the most noisy scans.
add 59998 deny icmp from any to me
add 5 deny ip from any to me dst-port 135,137-139,445,4665
add 6 deny log tcp from any to any established
add 60001 deny log ip from any to any

# this is the NAT rule. Only outgoing packets from the local net will come
here.
# First, nat them, then pass them on (again, you may choose to be more
restrictive)
add 61000 divert natd ip from 192.168.1.0/24 to any out via xl0
add 61001 allow ip from any to any
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW acting weird OR invalid ruleset?

2004-06-29 Thread Remko Lodder

[EMAIL PROTECTED] wrote:
Hey everyone.  Below is my natd.conf file and my rc.firewall.rule file. I
cannot figure it out, but if one of my machines that is behind my
Masqurading Firewall tries to d/l a file that is on a FTP site, it fails
to connect.
Does the ipfw offer logging (i dont know ipfw) perhaps you can see why 
it gets blocked there (ehm i presume it gets blocked)

But perhaps a ipfw guru should help ;-)
Cheers
FreeBSD 5.2.1 machine with 2 nics.
xl0 outside Nic
fxp0 inside Nic
rc.conf:
# enable firewall
firewall_enable=YES
# set path to custom firewall config
firewall_type=/etc/fw/rc.firewall.rules
# be non-verbose? set to YES after testing
firewall_quiet=NO
# enable natd, the NAT daemon
natd_enable=YES
# which is the interface to the internet that we hide behind?
natd_interface=xl0
# flags for natd
natd_flags=-f /etc/fw/natd.conf
natd.conf:
unregistered_only
interface xl0
use_sockets
dynamic
# dyamically open fw for ftp, irc
punch_fw 2000:50
rc.firewall.rules:
# be quiet and flush all rules on start
-q flush
# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow ip from any to any via lo0
add 00110 deny ip from any to 127.0.0.0/8
add 00120 deny ip from any to any not verrevpath in
add 00301 deny ip from 10.0.0.0/8 to any in via xl0
add 00302 deny ip from 172.16.0.0/12 to any in via xl0
add 00303 deny ip from 192.168.0.0/16 to any in via xl0
# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd ip from any to me in via xl0
add 01001 check-state
# allow some traffic from the local net to the router
#SMTP
add 02000 allow tcp from any to any 25 setup keep-state
# SSH
add 04000 allow tcp from any to me dst-port 22 in via fxp0 setup keep-state
add 04001 allow tcp from any to me dst-port 22 in via xl0 setup keep-state
#IMAP-SSL
add 04010 allow tcp from any to me dst-port 143 in via fxp0 setup keep-state
add 04011 allow tcp from any to me dst-port 143 in via xl0 setup keep-state
# NTP
add 04020 allow tcp from any to me dst-port 123 in via fxp0 setup keep-state
add 04021 allow udp from any to me dst-port 123 in via fxp0 keep-state
add 04020 allow tcp from any to me dst-port 123 in via xl0 setup keep-state
add 04021 allow udp from any to me dst-port 123 in via xl0 keep-state
#webmin
add 04030 allow tcp from any to me dst-port 1 in via fxp0 setup
keep-state
add 04031 allow tcp from any to me dst-port 1 in via xl0 setup keep-state
#http
add 04040 allow tcp from any to me dst-port 80 in via fxp0 setup keep-state
add 04041 allow tcp from any to me dst-port 80 in via xl0 setup keep-state
# DNS
add 04050 allow udp from any to me dst-port 53 in via fxp0
add 04051 allow udp from any to me dst-port 53 in via xl0
add 04052 allow tcp from any to me dst-port 53 in via fxp0
add 04053 allow tcp from any to me dst-port 53 in via xl0
#POP
add 04060 allow tcp from any to me dst-port 110 in via fxp0 setup keep-state
add 04061 allow tcp from any to me dst-port 110 in via xl0 setup keep-state
#HTTPS
add 04070 allow tcp from any to me dst-port 443 in via fxp0 setup keep-state
add 04071 allow tcp from any to me dst-port 443 in via xl0 setup keep-state
#IMAPS
add 04080 allow tcp from any to me dst-port 993 in via fxp0 setup keep-state
add 04081 allow tcp from any to me dst-port 993 in via xl0 setup keep-state
# drop everything else
add 04090 deny ip from any to me
# pass outgoing packets (to be natted) on to a special NAT rule
add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via fxp0 keep-state
# allow all outgoing traffic from the router
add 05010 allow ip from me to any out keep-state
# drop everything that has come so far. This means it doesn't belong to an
# established connection, don't log the most noisy scans.
add 59998 deny icmp from any to me
add 5 deny ip from any to me dst-port 135,137-139,445,4665
add 6 deny log tcp from any to any established
add 60001 deny log ip from any to any
# this is the NAT rule. Only outgoing packets from the local net will come
here.
# First, nat them, then pass them on (again, you may choose to be more
restrictive)
add 61000 divert natd ip from 192.168.1.0/24 to any out via xl0
add 61001 allow ip from any to any

--
Kind regards,
Remko Lodder   |[EMAIL PROTECTED]
Reporter DSINet|[EMAIL PROTECTED]
Projectleader Mostly-Harmless  |[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW acting weird OR invalid ruleset?

2004-06-29 Thread Steve Bertrand

 Hey everyone.  Below is my natd.conf file and my rc.firewall.rule file. I
 cannot figure it out, but if one of my machines that is behind my
 Masqurading Firewall tries to d/l a file that is on a FTP site, it fails
 to connect.

Are you using a passive FTP connection?

Steve


 FreeBSD 5.2.1 machine with 2 nics.

 xl0 outside Nic
 fxp0 inside Nic

 rc.conf:

 # enable firewall
 firewall_enable=YES
 # set path to custom firewall config
 firewall_type=/etc/fw/rc.firewall.rules
 # be non-verbose? set to YES after testing
 firewall_quiet=NO
 # enable natd, the NAT daemon
 natd_enable=YES
 # which is the interface to the internet that we hide behind?
 natd_interface=xl0
 # flags for natd
 natd_flags=-f /etc/fw/natd.conf


 natd.conf:

 unregistered_only
 interface xl0
 use_sockets
 dynamic
 # dyamically open fw for ftp, irc
 punch_fw 2000:50


 rc.firewall.rules:

 # be quiet and flush all rules on start
 -q flush

 # allow local traffic, deny RFC 1918 addresses on the outside
 add 00100 allow ip from any to any via lo0
 add 00110 deny ip from any to 127.0.0.0/8
 add 00120 deny ip from any to any not verrevpath in
 add 00301 deny ip from 10.0.0.0/8 to any in via xl0
 add 00302 deny ip from 172.16.0.0/12 to any in via xl0
 add 00303 deny ip from 192.168.0.0/16 to any in via xl0

 # check if incoming packets belong to a natted session, allow through if
 yes
 add 01000 divert natd ip from any to me in via xl0
 add 01001 check-state

 # allow some traffic from the local net to the router
 #SMTP
 add 02000 allow tcp from any to any 25 setup keep-state

 # SSH
 add 04000 allow tcp from any to me dst-port 22 in via fxp0 setup
 keep-state
 add 04001 allow tcp from any to me dst-port 22 in via xl0 setup keep-state

 #IMAP-SSL
 add 04010 allow tcp from any to me dst-port 143 in via fxp0 setup
 keep-state
 add 04011 allow tcp from any to me dst-port 143 in via xl0 setup
 keep-state

 # NTP
 add 04020 allow tcp from any to me dst-port 123 in via fxp0 setup
 keep-state
 add 04021 allow udp from any to me dst-port 123 in via fxp0 keep-state
 add 04020 allow tcp from any to me dst-port 123 in via xl0 setup
 keep-state
 add 04021 allow udp from any to me dst-port 123 in via xl0 keep-state

 #webmin
 add 04030 allow tcp from any to me dst-port 1 in via fxp0 setup
 keep-state
 add 04031 allow tcp from any to me dst-port 1 in via xl0 setup
 keep-state

 #http
 add 04040 allow tcp from any to me dst-port 80 in via fxp0 setup
 keep-state
 add 04041 allow tcp from any to me dst-port 80 in via xl0 setup keep-state

 # DNS
 add 04050 allow udp from any to me dst-port 53 in via fxp0
 add 04051 allow udp from any to me dst-port 53 in via xl0
 add 04052 allow tcp from any to me dst-port 53 in via fxp0
 add 04053 allow tcp from any to me dst-port 53 in via xl0

 #POP
 add 04060 allow tcp from any to me dst-port 110 in via fxp0 setup
 keep-state
 add 04061 allow tcp from any to me dst-port 110 in via xl0 setup
 keep-state

 #HTTPS
 add 04070 allow tcp from any to me dst-port 443 in via fxp0 setup
 keep-state
 add 04071 allow tcp from any to me dst-port 443 in via xl0 setup
 keep-state

 #IMAPS
 add 04080 allow tcp from any to me dst-port 993 in via fxp0 setup
 keep-state
 add 04081 allow tcp from any to me dst-port 993 in via xl0 setup
 keep-state

 # drop everything else
 add 04090 deny ip from any to me

 # pass outgoing packets (to be natted) on to a special NAT rule
 add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via fxp0
 keep-state

 # allow all outgoing traffic from the router
 add 05010 allow ip from me to any out keep-state

 # drop everything that has come so far. This means it doesn't belong to an
 # established connection, don't log the most noisy scans.
 add 59998 deny icmp from any to me
 add 5 deny ip from any to me dst-port 135,137-139,445,4665
 add 6 deny log tcp from any to any established
 add 60001 deny log ip from any to any

 # this is the NAT rule. Only outgoing packets from the local net will come
 here.
 # First, nat them, then pass them on (again, you may choose to be more
 restrictive)
 add 61000 divert natd ip from 192.168.1.0/24 to any out via xl0
 add 61001 allow ip from any to any
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW acting weird OR invalid ruleset?

2004-06-29 Thread Steve Bertrand

 Hey everyone.  Below is my natd.conf file and my rc.firewall.rule file. I
 cannot figure it out, but if one of my machines that is behind my
 Masqurading Firewall tries to d/l a file that is on a FTP site, it fails
 to connect.

Ok, I jumped earlier, but actually re-RTF ruleset, I've got a couple
questions:

- Is it only one pc that can't get through?
- Do other services work from behind NAT? (http etc)

It looks like rule 4109 should be BEFORE 4090, as 4090 denies all traffic
and stops, and internal traffic can't go anywhere (or so it appears).

Steve


 FreeBSD 5.2.1 machine with 2 nics.

 xl0 outside Nic
 fxp0 inside Nic

 rc.conf:

 # enable firewall
 firewall_enable=YES
 # set path to custom firewall config
 firewall_type=/etc/fw/rc.firewall.rules
 # be non-verbose? set to YES after testing
 firewall_quiet=NO
 # enable natd, the NAT daemon
 natd_enable=YES
 # which is the interface to the internet that we hide behind?
 natd_interface=xl0
 # flags for natd
 natd_flags=-f /etc/fw/natd.conf


 natd.conf:

 unregistered_only
 interface xl0
 use_sockets
 dynamic
 # dyamically open fw for ftp, irc
 punch_fw 2000:50


 rc.firewall.rules:

 # be quiet and flush all rules on start
 -q flush

 # allow local traffic, deny RFC 1918 addresses on the outside
 add 00100 allow ip from any to any via lo0
 add 00110 deny ip from any to 127.0.0.0/8
 add 00120 deny ip from any to any not verrevpath in
 add 00301 deny ip from 10.0.0.0/8 to any in via xl0
 add 00302 deny ip from 172.16.0.0/12 to any in via xl0
 add 00303 deny ip from 192.168.0.0/16 to any in via xl0

 # check if incoming packets belong to a natted session, allow through if
 yes
 add 01000 divert natd ip from any to me in via xl0
 add 01001 check-state

 # allow some traffic from the local net to the router
 #SMTP
 add 02000 allow tcp from any to any 25 setup keep-state

 # SSH
 add 04000 allow tcp from any to me dst-port 22 in via fxp0 setup
 keep-state
 add 04001 allow tcp from any to me dst-port 22 in via xl0 setup keep-state

 #IMAP-SSL
 add 04010 allow tcp from any to me dst-port 143 in via fxp0 setup
 keep-state
 add 04011 allow tcp from any to me dst-port 143 in via xl0 setup
 keep-state

 # NTP
 add 04020 allow tcp from any to me dst-port 123 in via fxp0 setup
 keep-state
 add 04021 allow udp from any to me dst-port 123 in via fxp0 keep-state
 add 04020 allow tcp from any to me dst-port 123 in via xl0 setup
 keep-state
 add 04021 allow udp from any to me dst-port 123 in via xl0 keep-state

 #webmin
 add 04030 allow tcp from any to me dst-port 1 in via fxp0 setup
 keep-state
 add 04031 allow tcp from any to me dst-port 1 in via xl0 setup
 keep-state

 #http
 add 04040 allow tcp from any to me dst-port 80 in via fxp0 setup
 keep-state
 add 04041 allow tcp from any to me dst-port 80 in via xl0 setup keep-state

 # DNS
 add 04050 allow udp from any to me dst-port 53 in via fxp0
 add 04051 allow udp from any to me dst-port 53 in via xl0
 add 04052 allow tcp from any to me dst-port 53 in via fxp0
 add 04053 allow tcp from any to me dst-port 53 in via xl0

 #POP
 add 04060 allow tcp from any to me dst-port 110 in via fxp0 setup
 keep-state
 add 04061 allow tcp from any to me dst-port 110 in via xl0 setup
 keep-state

 #HTTPS
 add 04070 allow tcp from any to me dst-port 443 in via fxp0 setup
 keep-state
 add 04071 allow tcp from any to me dst-port 443 in via xl0 setup
 keep-state

 #IMAPS
 add 04080 allow tcp from any to me dst-port 993 in via fxp0 setup
 keep-state
 add 04081 allow tcp from any to me dst-port 993 in via xl0 setup
 keep-state

 # drop everything else
 add 04090 deny ip from any to me

 # pass outgoing packets (to be natted) on to a special NAT rule
 add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via fxp0
 keep-state

 # allow all outgoing traffic from the router
 add 05010 allow ip from me to any out keep-state

 # drop everything that has come so far. This means it doesn't belong to an
 # established connection, don't log the most noisy scans.
 add 59998 deny icmp from any to me
 add 5 deny ip from any to me dst-port 135,137-139,445,4665
 add 6 deny log tcp from any to any established
 add 60001 deny log ip from any to any

 # this is the NAT rule. Only outgoing packets from the local net will come
 here.
 # First, nat them, then pass them on (again, you may choose to be more
 restrictive)
 add 61000 divert natd ip from 192.168.1.0/24 to any out via xl0
 add 61001 allow ip from any to any
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW acting weird OR invalid ruleset?

2004-06-29 Thread whizkid

[snip]

 Ok, I jumped earlier, but actually re-RTF ruleset, I've got a couple
 questions:

 - Is it only one pc that can't get through?
 - Do other services work from behind NAT? (http etc)

 It looks like rule 4109 should be BEFORE 4090, as 4090 denies all traffic
 and stops, and internal traffic can't go anywhere (or so it appears).

 Steve


[snip]

steve,
 Yes everything else seems to work fine.  There are currently 2 PCs
with this issue.  1 is XP the other is Win2k.  This ruleset worked
fine on FreeBSD 5.1, but I reformatted the box, and install 5.2.1
uploaded the rc.firewall.rules and natd.conf files, since the network
interfaces where the same I didn't really have to change anything.

I found these rules on this website:

http://www.lugbe.ch/lostfound/contrib/freebsd_router/

here is the sample I used from the website:

# be quiet and flush all rules on start
-q flush

# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow ip from any to any via lo0
add 00110 deny ip from any to 127.0.0.0/8
add 00120 deny ip from any to any not verrevpath in
add 00301 deny ip from 10.0.0.0/8 to any in via ep0
add 00302 deny ip from 172.16.0.0/12 to any in via ep0
add 00303 deny ip from 192.168.0.0/16 to any in via ep0

# check if incoming packets belong to a natted session, allow through
if yes
add 01000 divert natd ip from any to me in via ep0
add 01001 check-state

# allow some traffic from the local net to the router
# SSH
add 04000 allow tcp from 192.168.1.0/24 to me dst-port 22 in via ep1
setup keep-state
# ICMP
add 04001 allow icmp from 192.168.1.0/24 to me in via ep1
# NTP
add 04002 allow tcp from 192.168.1.0/24 to me dst-port 123 in via ep1
setup keep-state
add 04003 allow udp from 192.168.1.0/24 to me dst-port 123 in via ep1
keep-state
# DNS
add 04006 allow udp from 192.168.1.0/24 to me dst-port 53 in via ep1

# drop everything else
add 04009 deny ip from 192.168.1.0/24 to me

# pass outgoing packets (to be natted) on to a special NAT rule
add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via ep1
keep-state

# allow all outgoing traffic from the router (maybe you should be more
restrictive)
add 05010 allow ip from me to any out keep-state

# drop everything that has come so far. This means it doesn't belong
to an
established connection, don't log the most noisy scans.
add 59998 deny icmp from any to me
add 5 deny ip from any to me dst-port 135,137-139,445,4665
add 6 deny log tcp from any to any established
add 6 deny log ip from any to any

# this is the NAT rule. Only outgoing packets from the local net will
come here.
# First, nat them, then pass them on (again, you may choose to be more
restrictive)
add 61000 divert natd ip from 192.168.1.0/24 to any out via ep0
add 61001 allow ip from any to any
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: IPFW acting weird OR invalid ruleset?

IPFW acting weird OR invalid ruleset?

Re: IPFW acting weird OR invalid ruleset?

Re: IPFW acting weird OR invalid ruleset?

Re: IPFW acting weird OR invalid ruleset?

Re: IPFW acting weird OR invalid ruleset?

6 matches

Site Navigation

Mail list logo

Footer information