ipfw + ppp config problem

Michael Lopez bsdfreakish at yahoo.com
Sun Nov 30 02:02:48 PST 2003 

Hi guys, I need help for setting up my ipfw, at the moment I’ve got 2 computers one running freebsd 4.9 stable and the other one is windows XP connecting to the internet using dial up (wich is ppp) with static ip, I already compile the kernel to enable firewall as well seting up the rc.conf and the firewall rules (firewall_rules) as describe below:

 

rc.conf 

....

gateway_enable="YES"

inetd_enable="YES"

#################################################

# Firewall Configuration

#

firewall_enable=YES

firewall_quiet=YES

firewall_type=/usr/local/etc/firewall_rules

 

firewall_flags="-p cpp                          \

                -D INT_IF=rl0                   \

                -D INT_ADDR=192.168.0.1         \

                -D INT_NET=192.168.0.0/16       \

                -D EXT_IF=tun0                  \

                -D EXT_ADDR=202.24.54.145       \

                -D EXT_NET=202.24.54.145/27     \

                -D LOG_DROPPED_PACKETS          \

                -D ALLOW_ALL_ICMP               \

                -D ALLOW_ACTIVE_FTP             \

                -D ALLOW_TRACEROUTE             \

                -D LOCAL_NAME_SERVER            \

                -D LOCAL_TIME_SERVER            \

                -D LOCAL_VPN_SERVER             \

                -D ROUTE_INTERNAL_NET           "

 

# Enable firewall debugging with8

# sysctl -w net.inet.ip.fw.verbose=1

# and look at /var/log/security

 

#################################################

# NAT Configuration

#

# run NAT on the public interface

#natd_enable=YES

#natd_interface=tun0

#natd_flags="-log_denied -use_sockets"

 

# for testing NAT

#natd_flags="$natd_flags -verbose"

 

 

firewall_rules

#ifdef DROP_SILENT

#       ifdef LOG_DROPPED_PACKETS

#               define BLOCK_TCP                deny log

#               define BLOCK_UDP                deny log

#               define BLOCK_ICMP               deny log

#       else

#               define BLOCK_TCP                deny

#               define BLOCK_UDP                deny

#               define BLOCK_ICMP               deny

#       endif

#else

#       ifdef LOG_DROPPED_PACKETS

#               define BLOCK_TCP                reset log

#               define BLOCK_UDP                unreach port log

#               define BLOCK_ICMP               unreach filter-prohib log

#       else

#               define BLOCK_TCP                reset

#               define BLOCK_UDP                unreach port

#               define BLOCK_ICMP               unreach filter-prohib

#       endif

#endif

/*** IP ******************************************************/

 

// filter out all bogus packets at the external interface

add 00990 skipto 2100 ip from any to EXT_ADDR in recv EXT_IF

add 00999 deny all from any to any in recv EXT_IF

 

// hand off packets to natd; they will be reinjected, with the address

// translated, into the next rule

#ifdef DIVERT_TO_NATD

#add 01000 divert natd ip from any to any via EXT_IF

#endif

 

// prevent spoofing

add 02100 deny all from INT_NET to any in via EXT_IF

add 02110 deny all from EXT_NET to any in via INT_IF

 

#ifdef ROUTE_INTERNAL_NET

// allow all packets from the internal network, on any interface

add 02300 allow all from INT_NET to any

#else

add 02300 allow all from INT_ADDR to INT_NET via INT_IF

#endif

 

#ifdef LOCAL_VPN_SERVER

add 02400 allow gre from any to any via EXT_IF

#endif

 

 

/*** TCP ****************************************************/

 

// allow all established connections

add 03000 allow tcp from any to any established

 

// allow outgoing TCP setups from the local host, and from the internal

// network

add 03100 allow tcp from EXT_ADDR to any out via EXT_IF

//add 03110 allow tcp from INT_NET to any in recv INT_IF setup

 

// allow the return TCP connection for FTP data session

#ifdef ALLOW_ACTIVE_FTP

add 03200 allow tcp from any 20 to EXT_ADDR in recv EXT_IF setup

add 03210 allow tcp from any 20 to INT_NET // out xmit INT_IF setup

#endif

 

// allow SMTP to the local host

add 03300 allow tcp from any to EXT_ADDR smtp in recv EXT_IF setup

 

// allow SSH to the local host

add 03400 allow tcp from any to EXT_ADDR ssh in recv EXT_IF setup

 

#ifdef LOCAL_NAME_SERVER

// allow zone transfers to the outside world

add 03500 allow tcp from any to EXT_ADDR domain in recv EXT_IF setup

#endif

 

#ifdef LOCAL_VPN_SERVER

// allow traffic to PPTP daemon

add 03600 allow tcp from any to EXT_ADDR pptp in recv EXT_IF setup

// all other TCP connections are blocked

add 03900 BLOCK_TCP tcp from any to any in via EXT_IF

 

 

/*** UDP ****************************************************/

 

// allow client DNS queries to the outside from this machine

// (domain = DNS port number)

add 04000 allow udp from any domain to EXT_ADDR

add 04010 allow udp from EXT_ADDR to any domain

 

#ifdef LOCAL_NAME_SERVER

// allow client DNS queries from the internal net to this name server

add 04020 allow udp from INT_NET to INT_ADDR domain

add 04030 allow udp from INT_ADDR domain to INT_NET

 

// allow server DNS queries to this nameserver from the Internet

add 04040 allow udp from any to EXT_ADDR domain

add 04050 allow udp from EXT_ADDR domain to any

#endif

 

#ifdef LOCAL_TIME_SERVER

// allow NTP to/from the local host and out to the local network

add 04100 allow udp from any ntp to EXT_ADDR ntp

add 04110 allow udp from EXT_ADDR ntp to any ntp

add 04120 allow udp from INT_ADDR ntp to INT_NET ntp

#endif

 

#ifdef ALLOW_TRACEROUTE

// allow traceroutes

add 04300 allow udp from EXT_ADDR to any 33434-33534

add 04310 allow udp from INT_NET to any 33434-33534

#endif

 

// block everything else

add 04900 BLOCK_UDP udp from any to any in via EXT_IF

 

 

/*** ICMP **************************************************/

 

#ifdef ALLOW_ALL_ICMP

// allow all ICMP packets to and from anywhere

add 05000 allow icmp from any to any

 

#else

// allow only essential ICMP packets to and from the local host

add 05000 allow icmp from EXT_ADDR to any icmptype 3,4,11,12

add 05010 allow icmp from any to EXT_ADDR icmptype 3,4,11,12

 

// as well as to/from the internal network

add 05100 allow icmp from INT_NET to any icmptype 3,4,11,12

add 05110 allow icmp from any to INT_NET icmptype 3,4,11,12

#endif

 

 

/*** EVERYTHING ELSE IS DENIED *********/

 

#ifdef LOG_DROPPED_PACKETS

add 65000 deny log all from any to any

#else

add 65000 deny all from any to any

#endif

 

using reference from http://renaud.waldura.com/doc/freebsd/firewall/

 

but  I’d slightly modified the nat and the rules as you can see I commented out the NAT configuration and at rule 990 I set it to skip to rule 2100 instead rule 1000 since the nat didn’t work well with ppp (it can’t recognize the tun0 device from the start up and when i tried manually to add it after connected using ppp the freebsd can't connect to the net too)

 

as the result using this firewall only my freebsd the only one that connect to net (but both box able to communicate well, ping, sshd, ftp, etc - LAN), questions are:

1.)    Any body (who’s expert with ipfw) knows what’s wrong with my configuration ?

2.)     Is there any possibility to use nat (not user ppp –nat) to work with ipfw + ppp, 

 

references, urls, are welcomed. (by the way I’ve browse most site in google.com/bsd regarding this “ipfw + ppp + nat but then again only the reference I used above that works pretty much close to what I need...i think). 

 

Thank you once again,

 

Regards,

Mike 


---------------------------------
Do you Yahoo!?
Free Pop-Up Blocker - Get it now

More information about the freebsd-questions mailing list