ipfw + natd problem

ipfw + natd problem

Post by Adam Rette » Tue, 04 Feb 2003 07:57:57



Hi Guys,

    Im finding it very hard to get my head around ipfw and natd.

I am trying to setup a FreeBSD 4.7 box to replace Smoothwall / IPCop (both
of which i have found to be unflexible). Ive experience of FreeBSD servers
but this is my first fortay into firewalling with FreeBSD.

INTERNET <===> ( lnc0 DHCP ) FreeBSD-FW ( lnc1 192.168.0.254 ) <===>
Private-LAN ( 192.168.0.240/28 )

Firstly I want to acheive SmoothWall/IPCop firewall functionality and then
later use dummynet to add bandwith management capabilities.
i.e. I want to allow all outgoing TCP and UDP connections from the Private
LAN to the Internet and to allow responses back for those connections.
I want to allow ICMP from the Private LAN out to the Internet but NOT vice.
versa.
I want to deny all access to the Private LAN and the FreeBSD firewall itself
from the Internet.
I also need to understand how to add port forwarding from the Internet Nic
to the Private LAN.
Once this is all working ill be happy :-) and worry about bandwith with
dummynet later as a seperate thing.

So far with the help of various webpages and newsgroup articles and the
freebsd handbook I have managed to recompile the kernel and get it installed
with suport for the Firewall options.
I have also enabled ipfw, natd and dnsmasq, dnsmasq is working fine I think
my problem is the ipfw rules which are driving me nuts I have tried several
example configurations I have found, but alas to no avail.

Id greatly appreciate any help that anyone could lend me.

Thanks In Advance = Adam.

My /etc/rc.conf looks like this -

kern_securelevel="2"
kern_securelevel_enable="YES"
keymap="uk.cp850"
saver="logo"

# Network Settings
tcp_extensions="YES"
hostname="freebsd.home.dom"
ifconfig_lnc0="DHCP"
ifconfig_lnc1="inet 192.168.0.254  netmask 255.255.255.240"

# Firewall
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"

# NAT
natd_enable="YES"
natd_interface="lnc0"
natd_flags="-m -log"

# Network Services
sendmail_enable="NONE"
sshd_enable="YES"

My /etc/ipfw.rules looks like this -

#!/bin/sh

fwcmd="/sbin/ipfw"

#Reset all Rules
$fwcmd -f flush

#Add Support for Nat
$fwcmd add 10 divert natd ip from any to any via lnc0

#Allow all data from my network card and localhost
$fwcmd add 100 allow ip from any to any via lo0
$fwcmd add 110 allow ip from any to any via lnc1

#Allow all connections that are Initiated from Private LAN
$fwcmd add 200 allow tcp from any to any out xmit lnc0 setup

#Allow Open connections to stay open
$fwcmd add 300 allow tcp from any to any via lnc0 established

#External Internet Access to Local Ports
$fwcmd add 1000 allow tcp from any to any 22 setup

#RESET all ident packets from External
$fwcmd add 2000 reset log tcp from any to any 113 in recv lnc0

#Allow UDP for DNS
$fwcmd add 3000 allow udp from any to any 53 out xmit lnc0
$fwcmd add 3001 allow udp from any 53 to any in recv lnc0

#Allow ICMP
$fwcmd add 4000 allow icmp from any to any

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 27/01/2003

 
 
 

ipfw + natd problem

Post by Arthur Reynold » Tue, 04 Feb 2003 08:51:43


Quote:> My /etc/rc.conf looks like this -

> kern_securelevel="2"
> kern_securelevel_enable="YES"
> keymap="uk.cp850"
> saver="logo"

> # Network Settings
> tcp_extensions="YES"
> hostname="freebsd.home.dom"
> ifconfig_lnc0="DHCP"
> ifconfig_lnc1="inet 192.168.0.254  netmask
255.255.255.240"

> # Firewall
> firewall_enable="YES"
> firewall_script="/etc/ipfw.rules"

> # NAT
> natd_enable="YES"
> natd_interface="lnc0"
> natd_flags="-m -log"

> # Network Services
> sendmail_enable="NONE"
> sshd_enable="YES"

I use ipf and ipnat (instead of ipfw and natd) for the
firewalling and nat'ing, but either way you will need this
in rc.conf:

gateway_enable="YES"

 
 
 

ipfw + natd problem

Post by Adam Rette » Tue, 04 Feb 2003 12:50:12


A lot of the setups have said that i dont need gateway="yes" and some of
them have said i do need it.

I debated it with some guys in #FreeBSDHelp on efnet earlier and they said,
I proberbly didnt need it.
I disabled it because i didnt want to forward packets from the Internet to
the PrivateLAN

Could you explain for me please what exactly it does and the effects of
enabling/disabling it.

Thanks

Adam.


Quote:> > My /etc/rc.conf looks like this -

> > kern_securelevel="2"
> > kern_securelevel_enable="YES"
> > keymap="uk.cp850"
> > saver="logo"

> > # Network Settings
> > tcp_extensions="YES"
> > hostname="freebsd.home.dom"
> > ifconfig_lnc0="DHCP"
> > ifconfig_lnc1="inet 192.168.0.254  netmask
> 255.255.255.240"

> > # Firewall
> > firewall_enable="YES"
> > firewall_script="/etc/ipfw.rules"

> > # NAT
> > natd_enable="YES"
> > natd_interface="lnc0"
> > natd_flags="-m -log"

> > # Network Services
> > sendmail_enable="NONE"
> > sshd_enable="YES"

> I use ipf and ipnat (instead of ipfw and natd) for the
> firewalling and nat'ing, but either way you will need this
> in rc.conf:

> gateway_enable="YES"

 
 
 

ipfw + natd problem

Post by Tom Mattman » Tue, 04 Feb 2003 19:20:52


AR> A lot of the setups have said that i dont need gateway="yes" and some
AR> of them have said i do need it.

gateway="yes" means that your box acts as a router, i.e. is attached to
more than one networks and should forward traffic from one network
(interface) to another.

Pls read the FBSD handbook, Chapter 19.2. "Gateways and Routes" for more
details.

HTH,
Tom
--
 mailto: tom DOT mattmann AT terreactive DOT ch      spamto: /dev/null
 ---------------------------------------------------------------------
 "It is better to know some of the questions than all of the answers."
                                                      -- James Thurber

 
 
 

ipfw + natd problem

Post by Adam Rette » Wed, 05 Feb 2003 00:49:27


Okay have read the mentined FreeBSD Handbook page.

Gateway="yes" would seem like a good idea, doh!

Sorry I was somewhat confused about where NATD fits into the picture, I
thought this would masquerade and route my packets from one interface to the
other, now i think it just does masquerading?

The only thing is i dont want hosts on the public network to be able to
access hosts on the private network and when I set gateway="yes", it was the
case that I could add a static route to a host on the public network and it
could access hosts on the private network. Not a good thing at all!!!

I think the major problem here is my firewall rules and what I have
mentioned above could be constrained by those. I now think what I really
need is help with my ipfw ruleset, would I be right in thinking this? Also
do I need to repost this message as an ipfw rules question?

Thanks

Adam.



> AR> A lot of the setups have said that i dont need gateway="yes" and some
> AR> of them have said i do need it.

> gateway="yes" means that your box acts as a router, i.e. is attached to
> more than one networks and should forward traffic from one network
> (interface) to another.

> Pls read the FBSD handbook, Chapter 19.2. "Gateways and Routes" for more
> details.

> HTH,
> Tom
> --
>  mailto: tom DOT mattmann AT terreactive DOT ch      spamto: /dev/null
>  ---------------------------------------------------------------------
>  "It is better to know some of the questions than all of the answers."
>                                                       -- James Thurber

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 27/01/2003
 
 
 

ipfw + natd problem

Post by Eric P. McC » Wed, 05 Feb 2003 03:40:59



> Sorry I was somewhat confused about where NATD fits into the picture, I
> thought this would masquerade and route my packets from one interface to the
> other, now i think it just does masquerading?

It's okay, NAT is not exactly a simple topic.  But all NAT really does
is its name, network address translation.  It "mangles" incoming and
outgoing packets, changing the source and destination addresses, and
then resubmits the packet back to the operating system for rerouting.

So NAT (and thence natd) does no forwarding or routing at all.  The
_only_ thing it does is mangle packets.  I can't figure out a case
where you wouldn't want the kernel to enable forwarding; unless I'm
missing something obvious, it would always have to be on.

Quote:> The only thing is i dont want hosts on the public network to be able to
> access hosts on the private network and when I set gateway="yes", it was the
> case that I could add a static route to a host on the public network and it
> could access hosts on the private network. Not a good thing at all!!!

Add a rule like this:

  ipfw add deny ip from any to $lan_net in via $inet_if

For a more complete approach, you may want to add several sets of
rules.  Look in /etc/rc.firewall for the "simple" type of firewall,
then look at the "RFC1918" and "draft-manning-dsua-03.txt" sections
(both before _and_ after the divert natd rule).  Those are what
prohibit forwarding of private and other funky nets.

Quote:> I think the major problem here is my firewall rules and what I have
> mentioned above could be constrained by those. I now think what I really
> need is help with my ipfw ruleset, would I be right in thinking this? Also
> do I need to repost this message as an ipfw rules question?

This thread is fine, no need to start another one.

I recommend a methodical approach.  It may not work for you, but it's
what works best for me.  Start out by dealing with the local network
only (I do this with the Internet-side cat5 physically unplugged).

From glancing quickly at your firewall rules, they seem pretty much
fine.  You should probably put your spoof-drop rules (the lo0 and
RFC1918 et al. rules) before the divert natd step just to make sure it
doesn't get confused.  Oh, and you need to put the RFC1918 et
al. rules in twice, once _before_ the divert natd (from any to
10.0.0.0/8) and once _after_ (from 10.0.0.0/8 to any); that's the only
real gotcha.

Post back if you are still having problems after making these
changes, or if you don't understand what they do.

--

"Last I checked, it wasn't the power cord for the Clue Generator that
was sticking up your ass." - John Novak, rasfwrj

 
 
 

ipfw + natd problem

Post by Zeno Sirb » Fri, 07 Feb 2003 12:41:00


Adam:

Hope this will help:
http://renaud.waldura.com/doc/freebsd/firewall/

Cheers,

-- Zeno

 
 
 

ipfw + natd problem

Post by Adam Rette » Wed, 12 Feb 2003 23:48:23


Thanks Guys,

Have been very busy the last two weeks, will try to catch up with this
thread this week.

Again thanks everyone for all their help - the below link looks very good
too (had a quick look).

Adam.


Quote:> Adam:

> Hope this will help:
> http://renaud.waldura.com/doc/freebsd/firewall/

> Cheers,

> -- Zeno

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 27/01/2003