Login or Register to Ask a Question and Join Our Community


UNIX for Dummies Questions & Answers

fBSD nat ipfw

 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers fBSD nat ipfw
# 1  
Old 06-04-2002
Question fBSD nat ipfw
i am running nat on my freeBSD and web/ftp server.
The rule allow ip from any to any must always be? or how? if i accept all packets to go on my ep0 which diverts all to my intranet it doesnt help, must the rule allow ip from any to any always be ?
even if many rules are between divert rule and allow from any to any rule, system still be able easy hacked :)
p.s. sorry for my lang. :)
# 2  
Old 06-07-2002
FreeBSD firewall has a default rule numbered 65535, which is "allow all from any to any" or "deny all from any to any" depending on a kernel option [IPFIREWALL_DEFAULT_TO_ACCEPT], when this option is set you will have an open system. You can enable nat and firewall too, and define different rules for each interface, your web server should not be affected. Try these lines for your server:
Code:
ipfw add pass tcp from any to any established
ipfw add pass tcp from any to me 80 via {$ext_if} keep-state

For detailed information see ipfw man page and natd man page
# 3  
Old 06-07-2002
sorry i haven't said what i need properly. Now i try to.
i have the set of rules :

00050 divert 8668 ip from any to any via ed0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00350 allow ip from 192.168.0.0/24 to any
00400 allow ip from any to 192.168.0.0/24
00900 allow ip from any to any
65535 deny ip from any to any

and even if i add these ones
00500 allow ip from x.x.x.x to 192.168.0.0/24
00550 allow ip from x.x.x.x to any via ep0
00600 allow ip from any to x.x.x.x via ep0
00800 allow ip from any to x.x.x.x
and then remove 900 rule , ipfw doesnt allow to work nat properly.
x.x.x.x - internet addres

ep0 - internal adapter
ed0 - external
# 4  
Old 06-07-2002
look at this example, i can asure you it's working, is a modification made to the default /etc/rc.firewall :
Code:
[Ss][Ii][Mm][Pp][Ll][Ee])
        ############
        # This is a prototype setup for a simple firewall.  Configure this
        # machine as a named server and ntp server, and point all the machines
        # on the inside at this machine for those services.
        ############

        dont_deny="my_very_best_friend"

        # set these to your outside interface network and netmask and ip
        oif="rl1"
        onet="outside_net_address"
        omask="255.255.255.240"
        oip="outside_ip_addr"

        # set these to your inside interface network and netmask and ip
        iif="rl0"
        inet="internal_net_address"
        imask="255.255.255.0"
        iip="internal_ip"

        # Stop spoofing
        ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
        ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
        ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

        # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
        # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
        # on the outside interface
        ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
        ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
        ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
        ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}


        #########       RULES BEFORE NAT      ######################

        # Allow access for iserver
        #${fwcmd} add pass tcp from 192.168.10.10 to any out setup
        # Allow access for SIMM-3
        #${fwcmd} add pass tcp from 192.168.10.20 to any out setup
        # Deny everything else
        #${fwcmd} add deny all from 192.168.0.0/24 to any setup
        #

        #######################################################################

        # Network Address Translation.  This rule is placed here deliberately
        # so that it does not interfere with the surrounding address-checking
        # rules.  If for example one of your internal LAN machines had its IP
        # address set to 192.0.2.1 then an incoming packet for it after being
        # translated by natd(8) would match the `deny' rule above.  Similarly
        # an outgoing packet originated from it before being translated would
        # match the `deny' rule below.
        case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add divert natd all from any to any via ${natd_interface}
                fi
                ;;
        esac

        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
        ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

        # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
        # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
        # on the outside interface
        ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
        ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
        ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
        ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

        ####    RULES AFTER NAT       ##########################

        ${fwcmd} add pass tcp from any to me 113
        ${fwcmd} add pass tcp from me 113 to any

        # ${fwcmd} add pass tcp from me to any via ${iif} keep-state

        ##################################################################

        # Don't deny address[es]
        ${fwcmd} add pass all from ${dont_deny} to any
        ${fwcmd} add pass all from any to ${dont_deny}

        # Allow TCP through if setup succeeded
        ${fwcmd} add pass tcp from any to any established

        # Allow IP fragments to pass through
        ${fwcmd} add pass all from any to any frag

        # Allow setup of incoming email
        ${fwcmd} add pass tcp from any to ${oip} 25 setup

        # Allow access to our DNS
        ${fwcmd} add pass tcp from any to ${oip} 53 setup
        ${fwcmd} add pass udp from any to ${oip} 53
        ${fwcmd} add pass udp from ${oip} 53 to any

        # Allow access to our WWW
        ${fwcmd} add pass tcp from any to ${oip} 80 setup

        # Allow access to Webmin
        ${fwcmd} add pass tcp from any to ${oip} 3129 setup

        # SSH
        ${fwcmd} add pass tcp from any to ${oip} 22 setup

        # FTP
        ${fwcmd} add pass tcp from any to ${oip} 21 setup

        # FTP-data
        ${fwcmd} add pass tcp from any to ${oip} 20 setup

        # SMTP
        ${fwcmd} add pass tcp from any to ${oip} 25 setup

        # POP3
        ${fwcmd} add pass tcp from any to ${oip} 110 setup

        # Reject&Log all setup of incoming connections from the outside
        ${fwcmd} add deny log tcp from any to any in via ${oif} setup

        # Allow setup of any other TCP connection
        ${fwcmd} add pass tcp from any to any setup

        # Allow DNS queries out in the world
        ${fwcmd} add pass udp from ${oip} to any 53 keep-state

        # Allow NTP queries out in the world
        ${fwcmd} add pass udp from ${oip} to any 123 keep-state

        # Everything else is denied by default, unless the
        # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
        # config file.
        ;;

added code tags for readability --oombera
Last edited by oombera; 02-18-2004 at 12:57 PM..
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. OS X (Apple)

How to enable ipfw.log?

Under Mountain Lion, I want logs from ipfw sent to ipfw.log instead of dumped in system.log I've tried to figure out how OSX handles logs, but... after going back and forth between a syslog.conf which does little if anything, a newsyslog.conf that seems to only handle rotation, an asl.conf that... (3 Replies)
Discussion started by: jnojr
3 Replies

2. UNIX for Advanced & Expert Users

ipfw and dhcp

Hello, I have a little problem with my server configuration. So: I have two PC's with DHCP enable and both of them have two NIC's. PC1 - le0 ADSL PC1 - le1 192.168.10.1 PC2 - le0 192.168.10.10 PC2 - le1 192.168.20.1 One NIC on PC1 is connected to ADSL, another one have IP address... (3 Replies)
Discussion started by: mrowcp
3 Replies

3. BSD

Using several pipes in ipfw (dummynet)

Hi! I've already posted this on the freebsd-questions mailing list, but I thought I could try it here too. I'm using FreeBSD 7.0 with IPFW DUMMYNET enabled. I've got a problem with creating a ruleset, which allows me to limit the overall bandwidth of a link and afterwards pass the packets... (0 Replies)
Discussion started by: xenator
0 Replies

4. UNIX for Advanced & Expert Users

FBSD jail question

I'm trying to establish a jail on a FBSD 6.1 system and have a couple of questions on bringing up the daemon. Under the jail man page there are two user flags that I am unclear on, -u username The user name from host environment as whom the command should run. -U... (1 Reply)
Discussion started by: thumper
1 Replies

5. UNIX for Dummies Questions & Answers

Need help with IPFW.. Please...

Hi folks, I am a Mac User, and have little knowledge on IPFW. I have a set up at home where my computer (with 2 ethernet cards and static IP adresses) serves Internet to my family's computers. I have already a script that will run automatically at login and called from Cron at certain... (2 Replies)
Discussion started by: fundidor
2 Replies

6. BSD

Casio CASSIOPEA BE-300 & fBSD

I just don't know how do I have to connect them... Connecting via USB, if some body knows, please post here... Thankue... (0 Replies)
Discussion started by: PomaH 6yxDAK
0 Replies

7. Cybersecurity

ipfw directives and order of precidence...

Is there a general rule I can apply when examining/editing ipfw entries? Also, does each new entry have to have a unique rule number? And, I think I can write a script to block code red infected machines (though I'm not sure it would do more than slim down my web server error message log),... (0 Replies)
Discussion started by: [MA]Flying_Meat
0 Replies

8. UNIX for Dummies Questions & Answers

Color konsole in FBSD 4.6

FBSD 4.6 How do I colorize my konsole to see directories etc. Am able to get color in the shell with ls -GF in my .bashrc. But color does not show in KDE3 Konsole (Xwindows) for some reason.FBSD 4.6 (1 Reply)
Discussion started by: lancest
1 Replies

9. UNIX for Dummies Questions & Answers

C-Media 8738 chipset for FBSD 4.4

HI i'm compiling my kernel with the support of this chipset. In FreeBSD 4.2 and 4.3 I got no problem with the kernel, but with 4.4 I just can't get the kernel compiled with the soundcard support. i added this to my kernel device pcm device snd something wrong... (2 Replies)
Discussion started by: Stormpie
2 Replies

10. UNIX for Dummies Questions & Answers

my fbsd gateway

hi i got a problem. I use a fbsd box to share my (DSL)internet connection. I got 2 networkcards in my fbsd box, but my networkcard 1 (to my modem) always go out. the led don't burn anymore and I lose my connection to the internet :( but my networkcard2 (to my local network) doesn't go out,... (2 Replies)
Discussion started by: Stormpie
2 Replies
Login or Register to Ask a Question