Re: ipfw with four interfaces
- Original Message - From: Arvinn Lokkebakken [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 7:24 AM Subject: Re: ipfw with four interfaces snip Haven't been able to try them out yet, but I don't feel allowing The first 300 rule will probably help me having the firewall allowing traffic for me, but I wasn't really planning to allow everything in. And will deny rules have effect when the traffic allready is allowed? Arvinn Disregard my firewall ruleset for the time being. Do you have this system configured to be a gateway unit? If not, no traffic will pass interface boundaries.If your interface setup is this: fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet w.x.y.81 netmask 0xfff0 broadcast w.x.y.95 xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 172.16.0.1 netmask 0xff00 broadcast 172.16.0.255 xl2 is the interface that is connected back-to-back with the router. Also, from the info above, xl2 connects to the router via a crossover cable. If so, does it pull and IP? If so, it needs to be something other than the x.w.y.81, 192.168.0.1 or 172.16.0.1 network. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw with four interfaces
Try having the very first rule divert ip from any to any to natd Then, you can configure NATD to only effect RFC1918 packets by adding a -u to the command line. NAT will take the packet, process it if it's an RFC 1918 address, if not, allow it to pass and then reinject it into the firewall at rule 2 (or next available rule) and continue processing the ruleset. Like I described I allready use this flag. The problem with having divert at the top is that I get thrown off my ssh connection every time when I try to reload natd or ipfw. Does it matter if I allow ssh from my network before I divert packets to natd? I've not been awake for long and have had little to no Mt Dew yet so don't hold this against me. Without going over this for awhile, which I recommend when doing a firewall, this may be something in the neighborhood that you're looking for. In your /usr/local/etc/natd.sh #!/bin/sh natd -interface xl2 -s -m -u Or if you start it from rc.conf: natd_flags=-s -m -u I use a natd config file with all these flags so that is taken care of. The -s tells it to use sockets so that FTP doesn't get broken. You may not need this. The -m tells natd to attempt to use the same socket as the originating host. The -u tells natd to only translate RFC 1918 packets. In your firewall rules file: ### # more fwrules fwcmd=/sbin/ipfw extif=xl2 dmzif=fxp0 lanif=xl0 motorif=xl1 # # $fwcmd -f flush # # #NATD Divert $fwcmd add 1 divert natd all from any to any via xl2 # #You want blocked outbound ports to match early on in the firewall. # # Blocking ports out to Internet that I don't like: $fwcmd add 100 deny tcp from any to any 135-139 out via $extif $fwcmd add 100 deny tcp from any to any 445 out via $extif # #Then your allows: # #Network Allows $fwcmd add 300 allow ip from any to any via $extif $fwcmd add 300 allow ip from any to any via $dmxif $fwcmd add 300 allow ip from any to any via $lanif $fwcmd add 300 allow ip from any to any via $motorif Hm.. You really mean I should add that first allow line there? This four rules together is basically the same as ipfw add allow ip from any to any isn't it? # Allow http to the whole dmz from Internet: $fwcmd add 400 allow tcp from any to w.x.y.80/28 http via $extif # # Allow smtp and pop3 to the mailserver from Internet: $fwcmd add 500 allow tcp from any to w.x.y.84 smtp,pop3 via $extif Aren't these two rules overlapping the first 300 rule? #Lastly, your denies # #Network Denies # # Default Block $fwcmd add 65000 deny ip from any to any Hope this helps you out. Haven't been able to try them out yet, but I don't feel allowing The first 300 rule will probably help me having the firewall allowing traffic for me, but I wasn't really planning to allow everything in. And will deny rules have effect when the traffic allready is allowed? Arvinn ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw with four interfaces
- Original Message - From: Arvinn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 01, 2003 6:24 AM Subject: ipfw with four interfaces This FreeBSD 4.x with ipfw1 have four interfaces: fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet w.x.y.81 netmask 0xfff0 broadcast w.x.y.95 xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 172.16.0.1 netmask 0xff00 broadcast 172.16.0.255 xl2 is the interface that is connected back-to-back with the router. As you can see, hosts on xl0 and xl1 need to get translated in order to get on the Internet. The dmz is for a few web-servers, a mailserver and a vpn-gateway I will be setting up later. I have a hard time getting this design to actually work with deny ip from any to any in the bottom of the ruleset. I thought my tcp/ip skills were proper but after I started dealing with this I feel like a complete noob. Here are the rules I haave written so far: # more fwrules fwcmd=/sbin/ipfw extif=xl2 dmzif=fxp0 lanif=xl0 motorif=xl1 $fwcmd -f flush ### $fwcmd add 100 allow all from any to any via lo0 $fwcmd add 200 deny all from any to 127.0.0.0/8 $fwcmd add 300 deny ip from 127.0.0.0/8 to any $fwcmd add 500 deny tcp from any to any in via any tcpflags syn,fin $fwcmd add 600 deny ip from any to any in via any frag ### $fwcmd add 900 allow tcp from an.outside.net.work to me ssh in via $extif # This one passes packets to natd. If I knew how to divert only rfc1918 addresses are passed to natd I would do that. # In the meantine I have configured natd with the unregistered-flag. $fwcmd add 950 divert natd all from any to any via $extif # Allow http to the whole dmz from Internet: $fwcmd add 1000 allow tcp from any to w.x.y.80/28 http via $extif # Allow smtp and pop3 to the mailserver from Internet: $fwcmd add 1050 allow tcp from any to w.x.y.84 smtp,pop3 via $extif # # With the following rules I want to allow all traffic between my own segments: $fwcmd add 1200 allow ip from any to any via $dmzif $fwcmd add 1250 allow ip from any to any via $lanif $fwcmd add 1300 allow ip from any to any via $motorif # Allow all traffic out to Internett: $fwcmd add 2000 allow ip from any to any out via $extif # Allow all icmp for testing purposes until I get the firewll rules working: $fwcmd add 3000 allow icmp from any to any via any # Blocking ports out to Internet that I don't like: $fwcmd add 1300 deny tcp from any to any 135-139 out via $extif $fwcmd add 1350 deny tcp from any to any 445 out via $extif ### # Blocking everything else: $fwcmd add 65000 deny ip from any to any # When I load these rules it looks like nothing but icmp works. The computers on the the rfc1918 addresses can't speak tcp (and probably udp as well) and the computers on the dmz can neither. I feel I don't understand this properly. There must be some basic errors with my ruleset. Will it help me to put in this at the top?: $fwcmd add 50 check-state ..and then use keep-state on all my allow rules? Can someone please: I would be greatful for all kind of answers. Arvinn ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Try having the very first rule divert ip from any to any to natd Then, you can configure NATD to only effect RFC1918 packets by adding a -u to the command line. NAT will take the packet, process it if it's an RFC 1918 address, if not, allow it to pass and then reinject it into the firewall at rule 2 (or next available rule) and continue processing the ruleset. I've not been awake for long and have had little to no Mt Dew yet so don't hold this against me. Without going over this for awhile, which I recommend when doing a firewall, this may be something in the neighborhood that you're looking for. In your /usr/local/etc/natd.sh #!/bin/sh natd -interface xl2 -s -m -u Or if you start it from rc.conf: natd_flags=-s -m -u The -s tells it to use sockets so that FTP doesn't get broken. You may not need this. The -m tells natd to attempt to use the same socket as the originating host. The -u tells natd to only translate RFC 1918 packets. In your firewall rules file: ### # more fwrules fwcmd=/sbin/ipfw extif=xl2 dmzif=fxp0 lanif=xl0 motorif=xl1 # # $fwcmd -f flush # # #NATD Divert $fwcmd add 1 divert natd all from any to any via xl2 # #You want blocked outbound ports to match early on in the firewall. # # Blocking ports out to Internet that I don't like: $fwcmd add 100 deny tcp from any to any 135-139 out via $extif $fwcmd add 100 deny tcp from any to any 445 out via $extif # #Then your allows: # #Network Allows $fwcmd add 300 allow ip from any to any via $extif
