Re: NATD Firewall Rules Setup
I suggest you complete your ipfw rules basing on simple within
/etc/rc.firewall. Substitute variables assuming having natd_enable=YES and
firewall_enable=YES on rc.conf.
chael
- Original Message -
From: Thomas Smith [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, August 23, 2003 2:40 AM
Subject: NATD Firewall Rules Setup
I'm configuring a firewall (FreeBSD 4.8-RELEASE). I've got the firewall
locked down as I need it to be but am having issues getting NAT working.
The firewall config file is included below.
Note that if I add the allow all rule to the end of the file NAT works
fine. I'm certain its an IPFW issue but haven't been able to figure it
out--as I'm a bit new to IPFW and FreeBSD, pointers to documentation
(preferably with examples of usage) would be very helpful. I haven't
been able to find a lot of info outside of the Handbook and what I do
find regarding NAT includes three rules: 1) flush, 2) divert, 3) allow
all traffic.
# Internal network variables
iif=rl1
inet=192.168.20.0
iip=192.168.20.2
imask=255.255.255.0
# External network variables
oif=rl0
onet=216.161.174.0
oip=216.161.174.7
omask=255.255.255.0
# Clear current rules
/sbin/ipfw -f flush
# Allow TCP in, if setup succeeded
/sbin/ipfw add pass tcp from any to any established
# Allow all local traffic
/sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1
# Stop spoofing
/sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
/sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the external interface
/sbin/ipfw add deny all from 10.0.0.1:255.0.0.0 to any via ${oif}
/sbin/ipfw add deny all from 127.16.0.0:255.240.0.0 to any via ${oif}
/sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
# Allow internal network traffic
/sbin/ipfw add pass all from ${iip} to any
/sbin/ipfw add pass all from ${inet}:${imask} to ${iip}
# Allow NAT traffic out.
/sbin/ipfw add divert natd all from any to any via ${oif}
# Allow setup of SSH connections
/sbin/ipfw add pass tcp from any to ${oip} 22 setup
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NATD Firewall Rules Setup
- Original Message -
From: Thomas Smith [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, August 22, 2003 1:40 PM
Subject: NATD Firewall Rules Setup
I'm configuring a firewall (FreeBSD 4.8-RELEASE). I've got the firewall
locked down as I need it to be but am having issues getting NAT working.
The firewall config file is included below.
Note that if I add the allow all rule to the end of the file NAT works
fine. I'm certain its an IPFW issue but haven't been able to figure it
out--as I'm a bit new to IPFW and FreeBSD, pointers to documentation
(preferably with examples of usage) would be very helpful. I haven't
been able to find a lot of info outside of the Handbook and what I do
find regarding NAT includes three rules: 1) flush, 2) divert, 3) allow
all traffic.
snip
# Allow NAT traffic out.
/sbin/ipfw add divert natd all from any to any via ${oif}
Unless things have changed since I started using NAT years ago with 2.7,
your rule to divert to NAT needs to be the very first rule of your firewall.
Any rules after will still be processed as normal since NAT reinjects the
packet back into the firewall at the next rule number for any additional
processing.
--
Micheal Patterson
Network Administration
Cancer Care Network
405-733-2230
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
NATD Firewall Rules Setup
I'm configuring a firewall (FreeBSD 4.8-RELEASE). I've got the firewall
locked down as I need it to be but am having issues getting NAT working.
The firewall config file is included below.
Note that if I add the allow all rule to the end of the file NAT works
fine. I'm certain its an IPFW issue but haven't been able to figure it
out--as I'm a bit new to IPFW and FreeBSD, pointers to documentation
(preferably with examples of usage) would be very helpful. I haven't
been able to find a lot of info outside of the Handbook and what I do
find regarding NAT includes three rules: 1) flush, 2) divert, 3) allow
all traffic.
# Internal network variables
iif=rl1
inet=192.168.20.0
iip=192.168.20.2
imask=255.255.255.0
# External network variables
oif=rl0
onet=216.161.174.0
oip=216.161.174.7
omask=255.255.255.0
# Clear current rules
/sbin/ipfw -f flush
# Allow TCP in, if setup succeeded
/sbin/ipfw add pass tcp from any to any established
# Allow all local traffic
/sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1
# Stop spoofing
/sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
/sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the external interface
/sbin/ipfw add deny all from 10.0.0.1:255.0.0.0 to any via ${oif}
/sbin/ipfw add deny all from 127.16.0.0:255.240.0.0 to any via ${oif}
/sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
# Allow internal network traffic
/sbin/ipfw add pass all from ${iip} to any
/sbin/ipfw add pass all from ${inet}:${imask} to ${iip}
# Allow NAT traffic out.
/sbin/ipfw add divert natd all from any to any via ${oif}
# Allow setup of SSH connections
/sbin/ipfw add pass tcp from any to ${oip} 22 setup
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NATD Firewall Rules Setup
On Fri, Aug 22, 2003 at 11:40:50AM -0700, Thomas Smith wrote: I'm configuring a firewall (FreeBSD 4.8-RELEASE). I've got the firewall locked down as I need it to be but am having issues getting NAT working. The firewall config file is included below. Note that if I add the allow all rule to the end of the file NAT works fine. I'm certain its an IPFW issue but haven't been able to figure it out--as I'm a bit new to IPFW and FreeBSD, pointers to documentation (preferably with examples of usage) would be very helpful. I haven't been able to find a lot of info outside of the Handbook and what I do find regarding NAT includes three rules: 1) flush, 2) divert, 3) allow all traffic. All NAT does is translate your IP addresses. If it works with the allow all rule, then it works. It's the firewall, not NAT, that you need to adjust. When I set up my current firewall, I ran tcpdump for about a week, saving the output to a (huge) file. Then I analyzed it with nstreams to get an idea of what the traffic was like and what rules were needed. I still needed to do some tweaking; e.g. Windows vs. FBSD traceroute, but nstreams got me 90% of the way there. Bob Hall ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
