Re: ipfw + natd woes

From: Klik (klik@unstable.org)
Date: 07/09/01 

From: "Klik" <klik@unstable.org>
To: <freebsd-security@freebsd.org>
Date: Mon, 9 Jul 2001 01:14:01 -0400

Here is some more info in the setup,sorry about the incomplete post...

extra kernel options:
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_VERBOSE
options DUMMYNET

results of netstat -nr:
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 216.164.28.1 UGSc 5 8604782 rl0
127.0.0.1 127.0.0.1 UH 0 54 lo0
192.168.1 link#3 UC 3 0 ed1
192.168.1.3 0:40:33:d2:1f:9d UHLW 2 3201858 ed1 17
192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 0 791 ed1
216.164.28/23 link#1 UC 2 0 rl0
216.164.28.1 0:30:94:a8:eb:54 UHLW 3 0 rl0 497
216.164.29.255 ff:ff:ff:ff:ff:ff UHLWb 0 2363 rl0

# firewall ruleset

#!/bin/sh

/sbin/ipfw add permit tcp from any 21 to any established in
/sbin/ipfw add permit tcp from any 21 to any setup out
/sbin/ipfw add permit tcp from any 22 to any established in
/sbin/ipfw add permit tcp from any 22 to any setup out
/sbin/ipfw add permit tcp from any 25 to any established in
/sbin/ipfw add permit tcp from any 25 to any setup out
/sbin/ipfw add permit tcp from any 53 to any established in
/sbin/ipfw add permit tcp from any 53 to any setup out
/sbin/ipfw add permit tcp from any 80 to any established in
/sbin/ipfw add permit tcp from any 80 to any setup out
/sbin/ipfw add permit tcp from any 110 to any established in
/sbin/ipfw add permit tcp from any 110 to any setup out
/sbin/ipfw add permit tcp from any 113 to any established in
/sbin/ipfw add permit tcp from any 113 to any setup out
/sbin/ipfw add permit tcp from any 123 to any established in
/sbin/ipfw add permit tcp from any 123 to any setup out
/sbin/ipfw add permit tcp from any 143 to any established in
/sbin/ipfw add permit tcp from any 143 to any setup out

I tried all of these with outthe 'established' and 'setup' - no change

# Stop RFC1918 nets on the outside interface
/sbin/ipfw add 97 deny all from 10.0.0.0/8 to any in via rl0
/sbin/ipfw add 97 deny all from any to 10.0.0.0/8 in via rl0
/sbin/ipfw add 97 deny all from 172.16.0.0/12 to any in via rl0
/sbin/ipfw add 97 deny all from any to 172.16.0.0/12 in via rl0
/sbin/ipfw add 97 deny all from 192.168.0.0/16 to any in via rl0
/sbin/ipfw add 97 deny all from any to 192.168.0.0/16 in via rl0

#nat line
/sbin/ipfw add divert natd all from any to any via rl0

/etc/rc.conf:
network_interfaces="rl0 ed1 lo0"
ifconfig_rl0="DHCP"
ifconfig_ed1="inet 192.168.1.1 netmask 255.255.255.0"
gateway_enable="YES"

natd: flags:
-m: Allocate a socket(2) in order to establish an FTP data or IRC DCC send connection.
-s: Try to keep the same port number when altering outgoing packets.
  ----- Original Message -----
  From: Klik
  To: freebsd-security@freebsd.org
  Sent: Sunday, July 08, 2001 10:55 PM
  Subject: ipfw + natd woes

  Hello,

  I'm having trouble setting up my ipfw firewall with a default rule of deny while using natd.. My setup is as follow:

  Cablemodem--> nic1--| FreeBSD box |--nic2--> HUB

  natd flags: -m -s -n nic1

  If I remove the 'allow ip from any to any' rule and add bunch of permit statements for DNS, HTTP, IRC, etc.. The packets will only go to the FreeBSD machine. None of the machines on the local network are able to access the outside world. I've read the past threads about ipfw and natd, the natd and ipfw man pages ...I'm about to pull my hair out

  Any help would be greatly appreciated
  Greg

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message