RE: Firewall Rule Set not allowing access to DNS servers?
I changed the DNS rules as you suggested, and the firewall works perfectly - thanks very much. This has been a great learning experience for me - thanks to all who responded. Jim C -Original Message- From: JJB [mailto:[EMAIL PROTECTED] Sent: Saturday, July 31, 2004 1:08 PM To: James A. Coulter; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? Look back at the ipfw sample rule set and you will see that there are both udp and tcp protocol access to DSN. Also not that udp does not use setup keyword. # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state You DNS rules are # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state As you can see you have no tcp protocol statements. Your udp rules use setup keyword which is only for tcp rules so your udp packets never match this rule and default to getting blocked which is why you get log error messages and you can not access public internet. Also if you look closely at the first 4 ipfw log messages you will see first message is about ip address 193.0.14.129 which is the primary dns server pointed to by url search pn.at.cox.net in /etc/resolv.conf Change your DNS rules to look like this # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip udp from any to 193.0.14.129 53 out via $pif keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif keep-state $cmd 023 $skip udp from any to 68.105.161.20 53 out via $pif keep-state $cmd 024 $skip tcp from any to 193.0.14.129 53 out via $pif setup keep-state $cmd 025 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 026 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state $cmd 027 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Saturday, July 31, 2004 1:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. These are the same DNS servers placed in resolv.conf when the firewall is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Here's my ifconfig - a: sara# ifconfig -a dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX full-duplex) status: active dc1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. I did follow the comments. Please note the variable pif is set to dc1, my outside nic. Start of IPFW rules
RE: Firewall Rule Set not allowing access to DNS servers?
Thanks for the response. . . I changed rule 5 from x10 to dc0 - thanks Not sure why I would want my inside nic requesting DHCP service from my ISP. It has been working fine in the configuration I have it so I've left it the way it is. I checked the security log, and found this: Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1 These are the three name servers specified in the rule set I checked the rule set and found this: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state Because security said the firewall was denying UDP packets, I changed the rules to this: $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup keep-state But that hasn't helped. I'm still getting: Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1 FWIW, these rules are skipping to: # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any I apologize for being such a bother and I do appreciate any help or suggestions. TIA Jim C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JJB Sent: Friday, July 30, 2004 1:20 PM To: James A. Coulter; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? Change this ipfw rule from 5 allow ip from any to any via xl0 To 5 allow ip from any to any via dc0 because dc0 is the lan interface name and not xl0. Change these statement in rc.conf because you have interface name backwards. Dc1 is the NIC connected to your cable modem and you want to get DHCP info from your ISP. Dc0 is the NIC connected to your LAN. From ifconfig_dc1=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 to ifconfig_dc0=DHCP ifconfig_dc1=inet 192.168.1.1 netmask 255.255.255.0 You do not say how your LAN PCs get their ip address. You can hard code them on each LAN PC or you have to run isc-dhcp-server on your Gateway box to auto assign ip address to LAN PCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Friday, July 30, 2004 10:56 AM To: [EMAIL PROTECTED] Subject: Firewall Rule Set not allowing access to DNS servers? I am using FreeBSD 4.10 as a gateway/router for a small home LAN. My outside interface (dc1) is connected to a cable modem and is configured for DHCP. I have compiled and installed a custome kernel with IPFIREWALL and IPDIVERT options and with a rule set allowing any to any with no problems I am in the process of adding a proper rule set to provide security. I was referred to http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and installed the Stateful + NATD Rule Set modified for my outside interface, domain name servers, and DHCP server. I can ping IP addresses and pass SMTP mail back and forth from the gateway/router and all machines on the LAN, but I cannot ping URLs - I am getting ping: cannot resolve www.freebsd.org: Host name lookup failure errors. This is what ipfw -a list looks like: sara# ipfw -a list 5 0 0 allow ip from any to any via xl0 00010 52 3640 allow ip from any to any via lo0 00014 0 0 divert 8668 ip from any to any in recv dc1 00015 0 0 check-state 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53 keep-state out xmit dc1 setup 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53 keep-state out xmit dc1 setup 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53 keep-state out xmit dc1 setup 00030 0 0 skipto 800 udp from any to 172.19.17.22 67 keep-state out xmit dc1 00040 0 0 skipto 800 tcp from any to any 80 keep-state out xmit dc1 setup 00050 0 0 skipto 800 tcp from any to any 443 keep-state out xmit dc1 setup 00060 0 0 skipto 800 tcp from any to any 25 keep-state out xmit dc1 setup 00061 0 0 skipto 800 tcp from any to any 110
RE: Firewall Rule Set not allowing access to DNS servers?
You better re-read what you posted in early post. You posted that dc1 is your outside NIC, which is connected to your cable modem which is connected to your ISP. Your outside NIC needs DHCP to get ip and dns info from your ISP. NOW YOU SAY dc1 IS INSIDE INTERFACE NAME. Make up your mind which is correct. Verify you have correct interface name coded in ipfw rules for NIC connected to cable modem and that the same NIC interface name is the one in rc.conf with DHCP option. When DHCP gets DNS info from ISP /etc/resolv.conf will auto updated with correct info. Read comments in sample firewall source and follow what comments say. You are making this harder than it really is. Also there is no setup option on UDP packets just keepstate Post full contents of your current dmesg.boot, rc.conf, ipfw rule set, and ipfw log files so people can see just want you have configured. And answer question of how you are assigning ip address to LAN PCs? Also post output of ifconfig -a command after boot completes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Saturday, July 31, 2004 9:55 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? Thanks for the response. . . I changed rule 5 from x10 to dc0 - thanks Not sure why I would want my inside nic requesting DHCP service from my ISP. It has been working fine in the configuration I have it so I've left it the way it is. I checked the security log, and found this: Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1 These are the three name servers specified in the rule set I checked the rule set and found this: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state Because security said the firewall was denying UDP packets, I changed the rules to this: $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup keep-state But that hasn't helped. I'm still getting: Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1 FWIW, these rules are skipping to: # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any I apologize for being such a bother and I do appreciate any help or suggestions. TIA Jim C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JJB Sent: Friday, July 30, 2004 1:20 PM To: James A. Coulter; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? Change this ipfw rule from 5 allow ip from any to any via xl0 To 5 allow ip from any to any via dc0 because dc0 is the lan interface name and not xl0. Change these statement in rc.conf because you have interface name backwards. Dc1 is the NIC connected to your cable modem and you want to get DHCP info from your ISP. Dc0 is the NIC connected to your LAN. From ifconfig_dc1=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 to ifconfig_dc0=DHCP ifconfig_dc1=inet 192.168.1.1 netmask 255.255.255.0 You do not say how your LAN PCs get their ip address. You can hard code them on each LAN PC or you have to run isc-dhcp-server on your Gateway box to auto assign ip address to LAN PCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Friday, July 30, 2004 10:56 AM To: [EMAIL PROTECTED] Subject: Firewall Rule Set not allowing access to DNS servers? I am using FreeBSD 4.10 as a gateway/router for a small home LAN. My outside interface (dc1) is connected to a cable modem and is configured for DHCP. I have compiled and installed a custome kernel with IPFIREWALL and IPDIVERT options and with a rule set allowing any to any with no problems I am in the process of adding a proper rule set to provide security. I was referred to http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and installed the Stateful
RE: Firewall Rule Set not allowing access to DNS servers?
-FDX, 100baseTX, 100baseTX-FDX, auto isa0: too many dependant configs (8) isa0: unexpected small tag 14 orm0: Option ROM at iomem 0xc-0xc7fff on isa0 pmtimer0 on isa0 fdc0: NEC 72065B or clone at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0 fdc0: FIFO enabled, 8 bytes threshold fd0: 1440-KB 3.5 drive on fdc0 drive 0 atkbdc0: Keyboard controller (i8042) at port 0x60,0x64 on isa0 atkbd0: AT Keyboard flags 0x1 irq 1 on atkbdc0 kbd0 at atkbd0 vga0: Generic ISA VGA at port 0x3c0-0x3df iomem 0xa-0xb on isa0 sc0: System console at flags 0x100 on isa0 sc0: VGA 16 virtual consoles, flags=0x300 sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 16550A sio1 at port 0x2f8-0x2ff irq 3 on isa0 sio1: type 16550A ppc0: Parallel port at port 0x378-0x37f irq 7 on isa0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/9 bytes threshold plip0: PLIP network interface on ppbus0 lpt0: Printer on ppbus0 lpt0: Interrupt-driven port ppi0: Parallel I/O on ppbus0 IP packet filtering initialized, divert enabled, rule-based forwarding enabled, default to deny, logging limited to 10 packets/entry by default ad0: DMA limited to UDMA33, non-ATA66 cable or device ad0: 19623MB IBM-DTLA-305020 [39870/16/63] at ata0-master UDMA33 acd0: CDROM SONY CD-ROM CDU4821 at ata0-slave PIO4 Mounting root from ufs:/dev/ad0s1a Thanks, Jim C. -Original Message- From: JJB [mailto:[EMAIL PROTECTED] Sent: Saturday, July 31, 2004 10:28 AM To: James A. Coulter; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? You better re-read what you posted in early post. You posted that dc1 is your outside NIC, which is connected to your cable modem which is connected to your ISP. Your outside NIC needs DHCP to get ip and dns info from your ISP. NOW YOU SAY dc1 IS INSIDE INTERFACE NAME. Make up your mind which is correct. Verify you have correct interface name coded in ipfw rules for NIC connected to cable modem and that the same NIC interface name is the one in rc.conf with DHCP option. When DHCP gets DNS info from ISP /etc/resolv.conf will auto updated with correct info. Read comments in sample firewall source and follow what comments say. You are making this harder than it really is. Also there is no setup option on UDP packets just keepstate Post full contents of your current dmesg.boot, rc.conf, ipfw rule set, and ipfw log files so people can see just want you have configured. And answer question of how you are assigning ip address to LAN PCs? Also post output of ifconfig -a command after boot completes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Saturday, July 31, 2004 9:55 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? Thanks for the response. . . I changed rule 5 from x10 to dc0 - thanks Not sure why I would want my inside nic requesting DHCP service from my ISP. It has been working fine in the configuration I have it so I've left it the way it is. I checked the security log, and found this: Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1 These are the three name servers specified in the rule set I checked the rule set and found this: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state Because security said the firewall was denying UDP packets, I changed the rules to this: $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup keep-state But that hasn't helped. I'm still getting: Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1 FWIW, these rules are skipping to: # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any I apologize for being such a bother and I do appreciate any help
Re: Firewall Rule Set not allowing access to DNS servers?
On 2004-07-31 12:08, James A. Coulter [EMAIL PROTECTED] wrote: My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: a) Why do you use static rule numbers? You'd only have to use static rule numbers if your ruleset had more than 65536/100 = 655 rules. This limit is relatively hard to hit in a SOHO installation (Small Office, Home Office). If you do reach such limits, there's definitely something weird going on with the way your ruleset is written ;-) b) Why do you use so many rules that 'filter' outgoing traffic? I saw smtp, pop3, time, http, https and many others. You don't need to explicitly allow outgoing connections unless the users in the internal LAN are not to be trusted at all and even then IPFW is most of the time not the right way to do it. I'd probably just use something of this form in the /etc/ipfw.rules file and let rc.firewall find it by setting firewall_type=/etc/ipfw.rules in my rc.conf file: # First clean up all the rules of ipfw. flush # Packets should be passed to natd *before* any other rule as # mentioned in the natd(8) manpage, unlike your current script. add divert natd all from any to any via dc1 # Allow only lo0 interface to use the 127.0.0.1 address. add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 add deny ip from 127.0.0.1 to any add deny ip from any to 127.0.0.1 # Add only the dc0 interface to receive or send packets in the # 192.168.0.0/16 address range. add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via dc0 add deny ip from 192.168.0.0/16 to any add deny ip from any to 192.168.0.0/16 # Block packets with addresses that are used in private networks # and should not appear in any of our interfaces below this point. add deny ip from 10.0.0.0/8 to any add deny ip from any to 10.0.0.0/8 add deny ip from 172.16.0.0/12 to any add deny ip from any to 172.16.0.0/12 # Allow DNS and NTP through. add allow udp from any to any 53,123 keep-state out # Pass all ICMP messages through. They're rate limited by the # kernel if sysctl net.inet.icmp.icmplim is enabled, so this is # not very unsafe to do. add allow icmp from any to any # # Stateful tcp filtering. # add check-state add deny tcp from any to any established # All outgoing and incoming connections are allowed in dc0 (private iface). # Only outgoing connections are allowed on dc1 (external iface). add allow tcp from any to any keep-state out xmit dc0 setup add allow tcp from any to any keep-state in recv dc0 setup add allow tcp from any to any keep-state out xmit dc1 setup # Only selected services are allowed to pass through external iface. add allow tcp from any to any 22 keep-state in recv dc1 setup add allow tcp from any to any 113 keep-state in recv dc1 setup # The default firewall policy. add deny log logamount 0 ip from any to any No inline numbers, a simpler layout and a logic that you can hopefully extend at the second from last paragraph to allow more services through your external interface (the `in recv dc1 setup' rules). Note that I haven't tested this, so it might contain syntax errors because it's based on the ruleset I'm using at home but it also includes some modifications. Instead of untangling the ruleset you're now trying to use which seemed unnecessarily complex to me, I'm posting this just in case it's useful but it's up to you to bring it to shape for your setup if it doesn't Just Work(TM) when you load it. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall Rule Set not allowing access to DNS servers?
AN985 10/100BaseTX port 0xb000-0xb0ff mem 0xe100-0xe10003ff irq 12 at device 10.0 on pci0 dc0: Ethernet address: 00:04:5a:76:55:f0 miibus0: MII bus on dc0 ukphy0: Generic IEEE 802.3u media interface on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc1: LC82C115 PNIC II 10/100BaseTX port 0xa800-0xa8ff mem 0xe080-0xe08000ff irq 10 at device 11.0 on pci0 dc1: Ethernet address: 00:a0:cc:33:e1:f6 miibus1: MII bus on dc1 dcphy0: Intel 21143 NWAY media interface on miibus1 dcphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto isa0: too many dependant configs (8) isa0: unexpected small tag 14 orm0: Option ROM at iomem 0xc-0xc7fff on isa0 pmtimer0 on isa0 fdc0: NEC 72065B or clone at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0 fdc0: FIFO enabled, 8 bytes threshold fd0: 1440-KB 3.5 drive on fdc0 drive 0 atkbdc0: Keyboard controller (i8042) at port 0x60,0x64 on isa0 atkbd0: AT Keyboard flags 0x1 irq 1 on atkbdc0 kbd0 at atkbd0 vga0: Generic ISA VGA at port 0x3c0-0x3df iomem 0xa-0xb on isa0 sc0: System console at flags 0x100 on isa0 sc0: VGA 16 virtual consoles, flags=0x300 sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 16550A sio1 at port 0x2f8-0x2ff irq 3 on isa0 sio1: type 16550A ppc0: Parallel port at port 0x378-0x37f irq 7 on isa0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/9 bytes threshold plip0: PLIP network interface on ppbus0 lpt0: Printer on ppbus0 lpt0: Interrupt-driven port ppi0: Parallel I/O on ppbus0 IP packet filtering initialized, divert enabled, rule-based forwarding enabled, default to deny, logging limited to 10 packets/entry by default ad0: DMA limited to UDMA33, non-ATA66 cable or device ad0: 19623MB IBM-DTLA-305020 [39870/16/63] at ata0-master UDMA33 acd0: CDROM SONY CD-ROM CDU4821 at ata0-slave PIO4 Mounting root from ufs:/dev/ad0s1a Thanks, Jim C. -Original Message- From: JJB [mailto:[EMAIL PROTECTED] Sent: Saturday, July 31, 2004 10:28 AM To: James A. Coulter; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? You better re-read what you posted in early post. You posted that dc1 is your outside NIC, which is connected to your cable modem which is connected to your ISP. Your outside NIC needs DHCP to get ip and dns info from your ISP. NOW YOU SAY dc1 IS INSIDE INTERFACE NAME. Make up your mind which is correct. Verify you have correct interface name coded in ipfw rules for NIC connected to cable modem and that the same NIC interface name is the one in rc.conf with DHCP option. When DHCP gets DNS info from ISP /etc/resolv.conf will auto updated with correct info. Read comments in sample firewall source and follow what comments say. You are making this harder than it really is. Also there is no setup option on UDP packets just keepstate Post full contents of your current dmesg.boot, rc.conf, ipfw rule set, and ipfw log files so people can see just want you have configured. And answer question of how you are assigning ip address to LAN PCs? Also post output of ifconfig -a command after boot completes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Saturday, July 31, 2004 9:55 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? Thanks for the response. . . I changed rule 5 from x10 to dc0 - thanks Not sure why I would want my inside nic requesting DHCP service from my ISP. It has been working fine in the configuration I have it so I've left it the way it is. I checked the security log, and found this: Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1 These are the three name servers specified in the rule set I checked the rule set and found this: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state Because security said the firewall was denying UDP packets, I changed the rules to this: $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup keep-state But that hasn't helped. I'm still getting: Jul 31 08:31:21 sara /kernel
RE: Firewall Rule Set not allowing access to DNS servers?
Look back at the ipfw sample rule set and you will see that there are both udp and tcp protocol access to DSN. Also not that udp does not use setup keyword. # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state You DNS rules are # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state As you can see you have no tcp protocol statements. Your udp rules use setup keyword which is only for tcp rules so your udp packets never match this rule and default to getting blocked which is why you get log error messages and you can not access public internet. Also if you look closely at the first 4 ipfw log messages you will see first message is about ip address 193.0.14.129 which is the primary dns server pointed to by url search pn.at.cox.net in /etc/resolv.conf Change your DNS rules to look like this # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip udp from any to 193.0.14.129 53 out via $pif keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif keep-state $cmd 023 $skip udp from any to 68.105.161.20 53 out via $pif keep-state $cmd 024 $skip tcp from any to 193.0.14.129 53 out via $pif setup keep-state $cmd 025 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 026 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state $cmd 027 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Saturday, July 31, 2004 1:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. These are the same DNS servers placed in resolv.conf when the firewall is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Here's my ifconfig - a: sara# ifconfig -a dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX full-duplex) status: active dc1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. I did follow the comments. Please note the variable pif is set to dc1, my outside nic. Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 800 pif=dc1 # public interface name of Nic card # facing the public internet # # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name # $cmd 005 allow all from any to any via dc0
RE: Firewall Rule Set not allowing access to DNS servers?
Rule numbers have to be hard coded in this ipfw rule set because of the skipto rule. How else can you identify the skipto target rule if you allow ipfw to auto assign rule numbers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Bertrand Sent: Saturday, July 31, 2004 2:03 PM To: James A. Coulter Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Firewall Rule Set not allowing access to DNS servers? My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. These are the same DNS servers placed in resolv.conf when the firewall is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Must admit, I'm in a hurry to leave for the day, so I haven't read the ruleset etc, but what happens if you use the following entries, just after the divert rule?: ...allow udp from any to any 53 keep-state ...allow udp from any 53 to any keep-state ...allow tcp from any to any 53 keep-state Steve Here's my ifconfig - a: sara# ifconfig -a dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX full-duplex) status: active dc1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. I did follow the comments. Please note the variable pif is set to dc1, my outside nic. Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 800 pif=dc1 # public interface name of Nic card # facing the public internet # # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name # $cmd 005 allow all from any to any via dc0 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the dynamic rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state # Allow out non-secure standard www function
RE: Firewall Rule Set not allowing access to DNS servers?
If you had read the start of the thread you would have read the new handbook firewall section rewrite which explains in detail why there are rules to control access to the public internet from LAN users. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Giorgos Keramidas Sent: Saturday, July 31, 2004 1:36 PM To: James A. Coulter Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Firewall Rule Set not allowing access to DNS servers? On 2004-07-31 12:08, James A. Coulter [EMAIL PROTECTED] wrote: My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: a) Why do you use static rule numbers? You'd only have to use static rule numbers if your ruleset had more than 65536/100 = 655 rules. This limit is relatively hard to hit in a SOHO installation (Small Office, Home Office). If you do reach such limits, there's definitely something weird going on with the way your ruleset is written ;-) b) Why do you use so many rules that 'filter' outgoing traffic? I saw smtp, pop3, time, http, https and many others. You don't need to explicitly allow outgoing connections unless the users in the internal LAN are not to be trusted at all and even then IPFW is most of the time not the right way to do it. I'd probably just use something of this form in the /etc/ipfw.rules file and let rc.firewall find it by setting firewall_type=/etc/ipfw.rules in my rc.conf file: # First clean up all the rules of ipfw. flush # Packets should be passed to natd *before* any other rule as # mentioned in the natd(8) manpage, unlike your current script. add divert natd all from any to any via dc1 # Allow only lo0 interface to use the 127.0.0.1 address. add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 add deny ip from 127.0.0.1 to any add deny ip from any to 127.0.0.1 # Add only the dc0 interface to receive or send packets in the # 192.168.0.0/16 address range. add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via dc0 add deny ip from 192.168.0.0/16 to any add deny ip from any to 192.168.0.0/16 # Block packets with addresses that are used in private networks # and should not appear in any of our interfaces below this point. add deny ip from 10.0.0.0/8 to any add deny ip from any to 10.0.0.0/8 add deny ip from 172.16.0.0/12 to any add deny ip from any to 172.16.0.0/12 # Allow DNS and NTP through. add allow udp from any to any 53,123 keep-state out # Pass all ICMP messages through. They're rate limited by the # kernel if sysctl net.inet.icmp.icmplim is enabled, so this is # not very unsafe to do. add allow icmp from any to any # # Stateful tcp filtering. # add check-state add deny tcp from any to any established # All outgoing and incoming connections are allowed in dc0 (private iface). # Only outgoing connections are allowed on dc1 (external iface). add allow tcp from any to any keep-state out xmit dc0 setup add allow tcp from any to any keep-state in recv dc0 setup add allow tcp from any to any keep-state out xmit dc1 setup # Only selected services are allowed to pass through external iface. add allow tcp from any to any 22 keep-state in recv dc1 setup add allow tcp from any to any 113 keep-state in recv dc1 setup # The default firewall policy. add deny log logamount 0 ip from any to any No inline numbers, a simpler layout and a logic that you can hopefully extend at the second from last paragraph to allow more services through your external interface (the `in recv dc1 setup' rules). Note that I haven't tested this, so it might contain syntax errors because it's based on the ruleset I'm using at home but it also includes some modifications. Instead of untangling the ruleset you're now trying to use which seemed unnecessarily complex to me, I'm posting this just in case it's useful but it's up to you to bring it to shape for your setup if it doesn't Just Work(TM) when you load it. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED
Re: Firewall Rule Set not allowing access to DNS servers?
[-- Message reformatted to fix Outlook format --] On 2004-07-31 14:17, JJB [EMAIL PROTECTED] wrote: Giorgos Keramidas wrote on July 31, 2004 1:36 PM On 2004-07-31 12:08, James A. Coulter [EMAIL PROTECTED] wrote: My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: [...] b) Why do you use so many rules that 'filter' outgoing traffic? I saw smtp, pop3, time, http, https and many others. You don't need to explicitly allow outgoing connections unless the users in the internal LAN are not to be trusted at all and even then IPFW is most of the time not the right way to do it. If you had read the start of the thread you would have read the new handbook firewall section rewrite which explains in detail why there are rules to control access to the public internet from LAN users. I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. If by ... which explains in detail why... you refer to this particular quote from that document, I'm not sure that it is always a good idea but that's my own opinion: The Outbound section in the following rule set only contains `pass' rules which contain selection values that uniquely identify the service that is authorized for public internet access. In a corporate environment, where access to the Internet has to be limited and/or controlled in a more or less strict manner, it looks like a great idea. At home, where a couple of machines share a single Internet connection through a dialup or DSL line, this might be a bit too limiting ;-) - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall Rule Set not allowing access to DNS servers?
Giorgos Thank you for your opinion about my rewrite of the handbook firewall section. It has been turned over to the FreeBSD doc group and they are sanitizing the English and getting it prepared for update to the handbook. To address your opinion that the rule set may be to limiting for a home user is covered by the following section from the document. * Firewall Rule Set Types Constructing a software application firewall rule set may seem to be trivial, but most people get it wrong. The most common mistake is to create an exclusive firewall rather than an inclusive firewall. An exclusive firewall allows all services through except for those matching a set of rules that block certain services. An inclusive firewall does the reverse. It only allows services matching the rules through and blocks everything else. This way you can control what services can originate behind the firewall destined for the public internet and also control which services originating from the public internet may access your network. Inclusive firewalls are far more secure than exclusive firewalls. * Now many home LAN environments have ms/windows boxes and that system is the target of all the adware and spyware programs. These unauthorized programs all most always use non-standard ports to phone home and report on your activity. The only way to defend against the 'report home action' is to block all outbound ports except for those explicitly allowed by firewall rules. Sure the ipfw firewall rule set you posted will work, but it's so less secure then the ones contained in the document I wrote. Why have a poorly defined firewall rule set that leaves a wide open doorway to the public internet when just a few more rules will result in the maximum protection possible. My document is written to give the reader the maximum protection possible by just using the included samples. This removes the trial and error testing the user have to go through now using the current handbook as a guide. New subject. I see from your post, what looks like you have an automated way to reformat MS/outlook top post to Unix Bottom post format. I sure would like to know how you are doing this. I have been on this list for 4 years and I have never seen this before. Would you please share with me and the other readers how you do this. Thanks Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Giorgos Keramidas Sent: Saturday, July 31, 2004 6:43 PM To: JJB Cc: [EMAIL PROTECTED] Subject: Re: Firewall Rule Set not allowing access to DNS servers? [-- Message reformatted to fix Outlook format --] On 2004-07-31 14:17, JJB [EMAIL PROTECTED] wrote: Giorgos Keramidas wrote on July 31, 2004 1:36 PM On 2004-07-31 12:08, James A. Coulter [EMAIL PROTECTED] wrote: My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: [...] b) Why do you use so many rules that 'filter' outgoing traffic? I saw smtp, pop3, time, http, https and many others. You don't need to explicitly allow outgoing connections unless the users in the internal LAN are not to be trusted at all and even then IPFW is most of the time not the right way to do it. If you had read the start of the thread you would have read the new handbook firewall section rewrite which explains in detail why the re are rules to control access to the public internet from LAN users. I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. If by ... which explains in detail why... you refer to this particular quote from that document, I'm not sure that it is always a good idea but that's my own opinion: The Outbound section in the following rule set only contains `pass' rules which contain selection values that uniquely identify the service that is authorized for public internet access. In a corporate environment, where access to the Internet has to be limited and/or controlled in a more or less strict manner, it looks like a great idea. At home, where a couple of machines share a single Internet connection through a dialup or DSL
Re: Firewall Rule Set not allowing access to DNS servers?
On 2004-07-31 20:07, JJB [EMAIL PROTECTED] wrote: Now many home LAN environments have ms/windows boxes and that system is the target of all the adware and spyware programs. These unauthorized programs all most always use non-standard ports to phone home and report on your activity. The only way to defend against the 'report home action' is to block all outbound ports except for those explicitly allowed by firewall rules. Ah, yes. This makes much more sense. I never thought of this because the computers I have at home run only UNIX variants now. In such cases, you're right that outbound traffic needs to be controlled to in some way. New subject. I see from your post, what looks like you have an automated way to reformat MS/outlook top post to Unix Bottom post format. I sure would like to know how you are doing this. I have been on this list for 4 years and I have never seen this before. Would you please share with me and the other readers how you do this. `Manually' is the short answer. I don't usually spend the time to hit the right keys in Emacs to reformat the message. Your message is one of the few exceptions, because I really wanted to reply. Most of the time, when I see text that Outlook has converted magically to garbage I hit DEL. The tricks I use in Emacs are simple -- not really automated stuff. `C-x .' sets the fill-prefix and a few RET lines will quickly separate the message in sections like these: When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. There are many ways in which your ruleset might break. Two of the most important comments I wanted to make when I first saw the posts of this thread are: [...] I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. Moving the pointer just past the ortext that I want to use as the quotation mark and hitting `C-x .' sets the fill-prefix and then `M-q' (or ESC-q) refills the paragraph. Some lines like the ones that Outlook has wrapped in weird ways, i.e. like this: When I use the rule set in question, I can ping and send mail but might need a bit of editing before M-q filling works correctly, but these are usually very few after I've trimmed the text. - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall Rule Set not allowing access to DNS servers?
Change this ipfw rule from 5 allow ip from any to any via xl0 To 5 allow ip from any to any via dc0 because dc0 is the lan interface name and not xl0. Change these statement in rc.conf because you have interface name backwards. Dc1 is the NIC connected to your cable modem and you want to get DHCP info from your ISP. Dc0 is the NIC connected to your LAN. From ifconfig_dc1=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 to ifconfig_dc0=DHCP ifconfig_dc1=inet 192.168.1.1 netmask 255.255.255.0 You do not say how your LAN PCs get their ip address. You can hard code them on each LAN PC or you have to run isc-dhcp-server on your Gateway box to auto assign ip address to LAN PCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James A. Coulter Sent: Friday, July 30, 2004 10:56 AM To: [EMAIL PROTECTED] Subject: Firewall Rule Set not allowing access to DNS servers? I am using FreeBSD 4.10 as a gateway/router for a small home LAN. My outside interface (dc1) is connected to a cable modem and is configured for DHCP. I have compiled and installed a custome kernel with IPFIREWALL and IPDIVERT options and with a rule set allowing any to any with no problems I am in the process of adding a proper rule set to provide security. I was referred to http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and installed the Stateful + NATD Rule Set modified for my outside interface, domain name servers, and DHCP server. I can ping IP addresses and pass SMTP mail back and forth from the gateway/router and all machines on the LAN, but I cannot ping URLs - I am getting ping: cannot resolve www.freebsd.org: Host name lookup failure errors. This is what ipfw -a list looks like: sara# ipfw -a list 5 0 0 allow ip from any to any via xl0 00010 52 3640 allow ip from any to any via lo0 00014 0 0 divert 8668 ip from any to any in recv dc1 00015 0 0 check-state 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53 keep-state out xmit dc1 setup 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53 keep-state out xmit dc1 setup 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53 keep-state out xmit dc1 setup 00030 0 0 skipto 800 udp from any to 172.19.17.22 67 keep-state out xmit dc1 00040 0 0 skipto 800 tcp from any to any 80 keep-state out xmit dc1 setup 00050 0 0 skipto 800 tcp from any to any 443 keep-state out xmit dc1 setup 00060 0 0 skipto 800 tcp from any to any 25 keep-state out xmit dc1 setup 00061 0 0 skipto 800 tcp from any to any 110 keep-state out xmit dc1 setup 00070 0 0 skipto 800 tcp from me to any uid root keep-state out xmit dc1 setup 00080 0 0 skipto 800 icmp from any to any keep-state out xmit dc1 00090 0 0 skipto 800 tcp from any to any 37 keep-state out xmit dc1 setup 00100 0 0 skipto 800 tcp from any to any 119 keep-state out xmit dc1 setup 00110 0 0 skipto 800 tcp from any to any 22 keep-state out xmit dc1 setup 00120 0 0 skipto 800 tcp from any to any 43 keep-state out xmit dc1 setup 00130 0 0 skipto 800 udp from any to any 123 keep-state out xmit dc1 00300 0 0 deny ip from 192.168.0.0/16 to any in recv dc1 00301 0 0 deny ip from 172.16.0.0/12 to any in recv dc1 00302 0 0 deny ip from 10.0.0.0/8 to any in recv dc1 00303 0 0 deny ip from 127.0.0.0/8 to any in recv dc1 00304 0 0 deny ip from 0.0.0.0/8 to any in recv dc1 00305 0 0 deny ip from 169.254.0.0/16 to any in recv dc1 00306 0 0 deny ip from 192.0.2.0/24 to any in recv dc1 00307 0 0 deny ip from 204.152.64.0/23 to any in recv dc1 00308 0 0 deny ip from 224.0.0.0/3 to any in recv dc1 00315 0 0 deny tcp from any to any 113 in recv dc1 00320 0 0 deny tcp from any to any 137 in recv dc1 00321 0 0 deny tcp from any to any 138 in recv dc1 00322 0 0 deny tcp from any to any 139 in recv dc1 00323 0 0 deny tcp from any to any 81 in recv dc1 00330 0 0 deny ip from any to any in recv dc1 frag 00332 0 0 deny tcp from any to any in recv dc1 established 00360 0 0 allow udp from 172.19.17.22 to any 68 keep-state in recv dc1 00370 0 0 allow tcp from any to me 80 limit src-addr 2 in recv dc1 setup 00370 0 0 allow tcp from any to me limit src-addr 2 in recv dc1 setup 00380 0 0 allow tcp from any to me 22 limit src-addr 2 in recv dc1 setup 00400 0 0 deny log logamount 10 ip from any to any in recv dc1 00450 81 5288 deny log logamount 10 ip from any to any out xmit dc1 00800 0 0 divert 8668 ip from any to any out xmit dc1 00801 645 59255 allow ip from any to any 00999 0 0 deny log logamount 10 ip from any to any 65535 1 347 deny ip from any to any This is what my /etc/rc.conf looks like: hostname=sara.mshome.net ifconfig_dc1=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 firewall_enable=YES firewall_script=/etc/ipfw.rules