PPP Firewall - can't telnet/ftp from intranet
Following the instructions at http://www.freebsd.com.pl/tutorial_en/dialup-firewall/article.html, I've got firewalling set up on a ppp connection. The problem is that now I can't telnet or ftp into the BSD box from my intranet (on dc0). Any ideas on what I did wrong or didn't do? Also, for some reason I don't understand, I've got two tun connections displayed in ifconfig: tun0 and tun1. I'm using an internal ip range 192.168.x.x for dc0. David Merriman To eliminate the risk of malicious scripts or code, *all* HTML email is automatically _deleted_ UNREAD on receipt. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
ppp Firewall - can't telnet/ftp from intranet
/etc/host.conf: hosts bind /etc/hosts: 127.0.0.1 localhost.home localhost 192.168.144.254mydomaindaemon /etc/resolv.conf: domain home nameserver 206.104.144.4 nameserver 206.104.144.3 Edit /etc/ppp/ppp.conf: # PPP Configuration default: set log Phase Chat LCP IPCP CCP tun command set device /dev/cuaa1 set speed 115200 set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\ AT OK-AT-OK ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT (All one line) set redial 3 10 disable pred1 deny pred1 disable lqr deny lqr set authname set authkey set phone xxx- set timeout 600 # OneSource set openmode active accept chap set ifaddr 10.0.0.1/0 10.0.0.2/0 255.0.0.0 0.0.0.0 add default HISADDR /etc/ppp/ppp.linkup: # Dial-on-demand: demand: delete ALL add 0 0 HISADDR # All other configurations use this: OneSource: add 0 0 HISADDR Edit /etc/ppp/ppp.linkdown: # Dial-on-demand: OneSource: iface clear appropriate part of /etc/rc.conf: ### Basic network options: ### firewall_enable=YES firewall_script=/etc/firewall/fwrules natd_enable=YES natd_interface=tun0 natd_flags=-dynamic ppp_enable=YES ppp_mode=auto ppp_nat=YES ppp_profile=fwrules fwrules: # Firewall rules # Written by Marc Silver ([EMAIL PROTECTED]) # http://draenor.org/ipfw # Freely distributable # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd=/sbin/ipfw # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via tun0 $fwcmd add allow ip from any to any via dc0 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via tun0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example specifically allows connections # to ssh and apache. $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow tcp from any to any 22 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv tun0 # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 206.104.144.4 53 out xmit tun0 $fwcmd add allow udp from any to 206.104.144.3 53 out xmit tun0 # Allow them back in with the answers... :) $fwcmd add allow udp from 206.104.144.4 53 to any in recv tun0 $fwcmd add allow udp from 206.104.144.3 53 to any in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add allow icmp from any to any # Deny all the rest. $fwcmd add deny log ip from any to any I've also compiled the following into the kernel options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 My system is dialing out on demand, I can FTP and all that from my BSD box (daemon). Since getting ppp working with the above, I've lost the ability to telnet or ftp into the BSD box from my intranet. Dave Merriman To eliminate the risk of malicious scripts or code, *all* HTML email is automatically _deleted_ UNREAD on receipt. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: ppp Firewall - can't telnet/ftp from intranet
-Original Message- From: Joe Fhe Barbish [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 8:00 PM To: David Merriman Subject: RE: ppp Firewall - can't telnet/ftp from intranet Your rc.conf shows you are using both natd and ppp nat. You can only use one of those to do nat function. You do not have ipfw natd enabled in your kernel so make following changes. Remove these statements from ipfw rule set. $fwcmd add divert natd all from any to any via tun0 $fwcmd add allow ip from any to any via tun0 Did this. change $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow tcp from any to any 22 setup to $fwcmd add allow tcp from any to any 80 in via tun0 setup $fwcmd add allow tcp from any to any 22 in via tun0 setup and this. In the follow rule dc0 must be your Nic card to your lan If not change to correct Nic device name $fwcmd add allow ip from any to any via dc0 It was already there :-) Remove all rc.conf natd options, natd_enable=YES natd_interface=tun0 natd_flags=-dynamic Did this, too. Looking at dmesg.today, I'm seeing the notation: Firewall rules loaded, starting divert daemons: natd FWIW, I have gateway_enabled=ON, as well as inetd_enabled=ON. Change ppp_profile=fwrules to ppp_profile= Tried this, as well. fwrules: # Firewall rules # Written by Marc Silver ([EMAIL PROTECTED]) # http://draenor.org/ipfw # Freely distributable # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd=/sbin/ipfw # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via tun0 $fwcmd add allow ip from any to any via dc0 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via tun0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example specifically allows connections # to ssh and apache. $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow tcp from any to any 22 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv tun0 # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 206.104.144.4 53 out xmit tun0 $fwcmd add allow udp from any to 206.104.144.3 53 out xmit tun0 # Allow them back in with the answers... :) $fwcmd add allow udp from 206.104.144.4 53 to any in recv tun0 $fwcmd add allow udp from 206.104.144.3 53 to any in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add allow icmp from any to any # Deny all the rest. $fwcmd add deny log ip from any to any I've also compiled the following into the kernel options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 I've taken out IPFIREWALL stuff from the kernel while trying to troubleshoot the problem My system is dialing out on demand, I can FTP and all that from my BSD box (daemon). Since getting ppp working with the above, I've lost the ability to telnet or ftp into the BSD box from my intranet. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
