cat /etc/rc.conf:
# -- sysinstall generated deltas -- # Mon May 20 04:07:50 2002
# Created: Mon May 20 04:07:50 2002
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.1.1"
gateway_enable="YES"
hostname="ZuanTiz.pacbell.net"
ifconfig_ep0="inet 192.168.1.88 netmask 255.255.255.0"
ifconfig_ep1="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="NO"
nfs_client_enable="YES"
nfs_reserved_port_only="YES"
nfs_server_enable="YES"
sendmail_enable="NO"
sshd_enable="YES"
pptpd_enable="YES"
#FreeBSD Manual pp505 example on firewalls
#firewall_enable="YES" #Set to YES to enable firewall functionality #1) killed nfs
#firewall_type="simple" # Fyrewall type (see /etc/rc.firewall) #1) killed nfs
#firewall_enable="YES" #2) killed nfs
gateway_enable="YES" #pp412 Set to yes if this host will be a gateway
firewall_type="/scripts/myfw1" #2)
natd_enable="YES" #pp597 Enable natd (if firewall wnable == YES)
natd_interface="ep1" #remind me to change it back to ep0
#ep0 192.168.1.88
#ep1 192.168.0.1
#pp 507 Public interface or IPaddress to use.
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_LIMIT=50
As you can see from some of the comments I can not mount my nfs share to this host
while the firewall is enabled.
Here are my rules as called by firewall_type="/scripts/myfw1"
cat /scripts/myfw1:
#Forwarding IP
# My firewall rules to be executed by rc.conf
# The actual part will be defined as
# firewall_type="/scripts/myfw1" #my defined firewall
# Lets start
# Referred by # I will start by stating the examples so that we can
# get on the internet
# add 1000 allow tcp from any to 172.16.0.5 25 (just this port)
# add 1100 allow tcp from any to 172.16.0.4 21,22,23 (all these ports)
# add 1200 allow tcp from any to 172.16.0.5 1021-1023 (this range of ports)
# add 1300 deny udp from any to 192.168.0.5 1024:8 (deny these ports to this host)
#To allow incoming requests to my Samba Server
# do
ipfw add 1000 allow tcp from any to 192.168.0.22/24 137,139
ipfw add 1100 allow tcp from 192.168.0.1/24 to 192.168/24.0.33 2049,111
ipfw add 1200 allow udp from 192.168.0.1/24 to 192.168.0.33/24 2049,111
ipfw add 1300 allow tcp from 192.168.0.10/24 to 192.168.1.1/24 80
ipfw add 1400 allow udp from 192.168.1.10/24 to 192.168.1.1/24 80
ipfw add 1500 allow tcp from any to 192.168.1.88/24 22
ipfw add 1600 allow tcp from any to 192.168.0.1/24 22
ipfw add 1700 allow tcp from 192.168.0.1/24 to any 1-65525
ipfw add 1800 allow udp from 192.168.0.1/24 to any 1-65525
ipfw add 1900 allow tcp from 192.168.0.10/24 to any 1-65525
ipfw add 2000 allow udp from 192.168.0.10/24 to any 1-65525
ipfw add 2100 allow tcp from 192.168.0.12/24 to any 1-65525
ipfw add 2200 allow udp from 192.168.0.12/24 to any 1-65528
ipfw add 2300 allow tcp from 192.168.0.13/24 to any 1-65525
ipfw add 2400 allow udp from 192.168.0.13/24 to any 1-65525
ipfw add 2500 allow tcp from 192.168.0.14/24 to any 1-65525
ipfw add 2600 allow udp from 192.168.0.14/24 to any 1-65525
ipfw add 2700 allow tcp from 192.168.0.1/24 to 192.168.1.1/24 1-65525
ipfw add 2800 allow udp from 192.168.0.1/24 to 192.168.1.1/24 1-65525
ipfw add 2900 allow tcp from 192.168.1.88/24 to any 1-65525
ipfw add 3000 allow udp from 192.168.1.88/24 to any 1-6525
ipfw add 3100 allow tcp from 192.168.1.88/24 to 192.168.1.1/24 1-65525
ipfw add 3200 allow udp from 192.168.1.88/24 to 192.168.1/24.1-65525
Once the command ipfw list, ipfw -a, ipfw show is launched(after running kldload ipfw)
then I get a list of the rules I'm trying to implement.
I just cant ping amywhere outside of that FreeBSD-BOX acting as my gateway.
Please help with some pointers.
Thanks
This is a copy of my previous post. Before I came back here to view my first response I have resolved the pinging problem somehow. I am able to use my FreeBSD router as a router and a gateway. I can enable ipfw with the list described above and can ping out view any web site, send and recieve email etc.
Here is an outline of my LAN. My DSL modem connects to the WAN port of my Linksys router.
The lan ip address of the router is on 192.168.1.0 .
That Linksys router connects and shares a 24port 3com switch with the FreeBSD router and all of my other comptuers on my LAN with a lan ip address of 192.168.0.0. All computers except one work station belong to the 192.168.0.0 subnet. The computers on this lan are mostly servers. One Samba Server serveral NFS, servers, and an FTP server(which Im not forwarding). All servers work properly behind the firewalls. Before the FreeBSD router Iwas able to access the Samba Server remotely, after forwarding the ports or using the DMZ host option to the Samba server in the
Linksys router .
Now with the FreeBSD router, I am attempting to forward the same ports on the FreeBSD using ipfw and then forwarding the FreeBSD router to the DMZ host option in the Linksys router, so that my Samba Server is accessible through the DMZ of the Linksys router, through the ipfw "forwarding" function of the FreeBSD router. I nmapped serveal times to my internal IP addressess on both interfaces of the FreeBSD router, and I nmapped my Linksys routers internal and external IP address and with all nmap results I can see only teh same ports open that are running local to the FreeBSD router., meaning that if I have pptpd and ssh (which I really do have running) I only see those ports opened.
I tested this configuration more practically, I went on and ssh'ed into my FreeBSD router using the WAN or external IP address, as well as the ones behind both NATs (Linksys and FreeBSD routers) and secure shell worked smoothly In both cases. So I am confident to know that my configuration works.
"ipfw list" displays all of my rules, I can browse the internet behind both subnets in my LAN.
Here is the big question.
Does nmap or a port scanner see ports that are open regardless of what type of firewall is bieng used?
My answer would be yes.
Whats your answer?
Is there any other way to tell what ports are open when using ipfw?
Or lets say how does one determine that ipfw is forwarding?
I can tell on the linksys router when I forward whats open just by running a portscan.
Do I have to comment out the wrappers in inet.conf?
I tried that and found it useless because that machine is not running samba a whole separate one is.
At first that idea sounded promising, but then again thats was desperate thinking.
What do I do? ( The smartest question here )
Please help, Ill send you a "ROOT-BEER"
Thanks
# -- sysinstall generated deltas -- # Mon May 20 04:07:50 2002
# Created: Mon May 20 04:07:50 2002
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.1.1"
gateway_enable="YES"
hostname="ZuanTiz.pacbell.net"
ifconfig_ep0="inet 192.168.1.88 netmask 255.255.255.0"
ifconfig_ep1="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="NO"
nfs_client_enable="YES"
nfs_reserved_port_only="YES"
nfs_server_enable="YES"
sendmail_enable="NO"
sshd_enable="YES"
pptpd_enable="YES"
#FreeBSD Manual pp505 example on firewalls
#firewall_enable="YES" #Set to YES to enable firewall functionality #1) killed nfs
#firewall_type="simple" # Fyrewall type (see /etc/rc.firewall) #1) killed nfs
#firewall_enable="YES" #2) killed nfs
gateway_enable="YES" #pp412 Set to yes if this host will be a gateway
firewall_type="/scripts/myfw1" #2)
natd_enable="YES" #pp597 Enable natd (if firewall wnable == YES)
natd_interface="ep1" #remind me to change it back to ep0
#ep0 192.168.1.88
#ep1 192.168.0.1
#pp 507 Public interface or IPaddress to use.
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_LIMIT=50
As you can see from some of the comments I can not mount my nfs share to this host
while the firewall is enabled.
Here are my rules as called by firewall_type="/scripts/myfw1"
cat /scripts/myfw1:
#Forwarding IP
# My firewall rules to be executed by rc.conf
# The actual part will be defined as
# firewall_type="/scripts/myfw1" #my defined firewall
# Lets start
# Referred by # I will start by stating the examples so that we can
# get on the internet
# add 1000 allow tcp from any to 172.16.0.5 25 (just this port)
# add 1100 allow tcp from any to 172.16.0.4 21,22,23 (all these ports)
# add 1200 allow tcp from any to 172.16.0.5 1021-1023 (this range of ports)
# add 1300 deny udp from any to 192.168.0.5 1024:8 (deny these ports to this host)
#To allow incoming requests to my Samba Server
# do
ipfw add 1000 allow tcp from any to 192.168.0.22/24 137,139
ipfw add 1100 allow tcp from 192.168.0.1/24 to 192.168/24.0.33 2049,111
ipfw add 1200 allow udp from 192.168.0.1/24 to 192.168.0.33/24 2049,111
ipfw add 1300 allow tcp from 192.168.0.10/24 to 192.168.1.1/24 80
ipfw add 1400 allow udp from 192.168.1.10/24 to 192.168.1.1/24 80
ipfw add 1500 allow tcp from any to 192.168.1.88/24 22
ipfw add 1600 allow tcp from any to 192.168.0.1/24 22
ipfw add 1700 allow tcp from 192.168.0.1/24 to any 1-65525
ipfw add 1800 allow udp from 192.168.0.1/24 to any 1-65525
ipfw add 1900 allow tcp from 192.168.0.10/24 to any 1-65525
ipfw add 2000 allow udp from 192.168.0.10/24 to any 1-65525
ipfw add 2100 allow tcp from 192.168.0.12/24 to any 1-65525
ipfw add 2200 allow udp from 192.168.0.12/24 to any 1-65528
ipfw add 2300 allow tcp from 192.168.0.13/24 to any 1-65525
ipfw add 2400 allow udp from 192.168.0.13/24 to any 1-65525
ipfw add 2500 allow tcp from 192.168.0.14/24 to any 1-65525
ipfw add 2600 allow udp from 192.168.0.14/24 to any 1-65525
ipfw add 2700 allow tcp from 192.168.0.1/24 to 192.168.1.1/24 1-65525
ipfw add 2800 allow udp from 192.168.0.1/24 to 192.168.1.1/24 1-65525
ipfw add 2900 allow tcp from 192.168.1.88/24 to any 1-65525
ipfw add 3000 allow udp from 192.168.1.88/24 to any 1-6525
ipfw add 3100 allow tcp from 192.168.1.88/24 to 192.168.1.1/24 1-65525
ipfw add 3200 allow udp from 192.168.1.88/24 to 192.168.1/24.1-65525
Once the command ipfw list, ipfw -a, ipfw show is launched(after running kldload ipfw)
then I get a list of the rules I'm trying to implement.
I just cant ping amywhere outside of that FreeBSD-BOX acting as my gateway.
Please help with some pointers.
Thanks
This is a copy of my previous post. Before I came back here to view my first response I have resolved the pinging problem somehow. I am able to use my FreeBSD router as a router and a gateway. I can enable ipfw with the list described above and can ping out view any web site, send and recieve email etc.
Here is an outline of my LAN. My DSL modem connects to the WAN port of my Linksys router.
The lan ip address of the router is on 192.168.1.0 .
That Linksys router connects and shares a 24port 3com switch with the FreeBSD router and all of my other comptuers on my LAN with a lan ip address of 192.168.0.0. All computers except one work station belong to the 192.168.0.0 subnet. The computers on this lan are mostly servers. One Samba Server serveral NFS, servers, and an FTP server(which Im not forwarding). All servers work properly behind the firewalls. Before the FreeBSD router Iwas able to access the Samba Server remotely, after forwarding the ports or using the DMZ host option to the Samba server in the
Linksys router .
Now with the FreeBSD router, I am attempting to forward the same ports on the FreeBSD using ipfw and then forwarding the FreeBSD router to the DMZ host option in the Linksys router, so that my Samba Server is accessible through the DMZ of the Linksys router, through the ipfw "forwarding" function of the FreeBSD router. I nmapped serveal times to my internal IP addressess on both interfaces of the FreeBSD router, and I nmapped my Linksys routers internal and external IP address and with all nmap results I can see only teh same ports open that are running local to the FreeBSD router., meaning that if I have pptpd and ssh (which I really do have running) I only see those ports opened.
I tested this configuration more practically, I went on and ssh'ed into my FreeBSD router using the WAN or external IP address, as well as the ones behind both NATs (Linksys and FreeBSD routers) and secure shell worked smoothly In both cases. So I am confident to know that my configuration works.
"ipfw list" displays all of my rules, I can browse the internet behind both subnets in my LAN.
Here is the big question.
Does nmap or a port scanner see ports that are open regardless of what type of firewall is bieng used?
My answer would be yes.
Whats your answer?
Is there any other way to tell what ports are open when using ipfw?
Or lets say how does one determine that ipfw is forwarding?
I can tell on the linksys router when I forward whats open just by running a portscan.
Do I have to comment out the wrappers in inet.conf?
I tried that and found it useless because that machine is not running samba a whole separate one is.
At first that idea sounded promising, but then again thats was desperate thinking.
What do I do? ( The smartest question here )
Please help, Ill send you a "ROOT-BEER"
Thanks