Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

FeeBSD Firewall ipfw with new KERNEL Please Help NOT Forwarding Ports

Status
Not open for further replies.
xazax

xazax

Technical User
Mar 26, 2002
27
0
0
US
This is my firewall configureation on FreeBSD 4.4 below.
cat /etc/rc.conf:

# -- sysinstall generated deltas -- # Mon May 20 04:07:50 2002
# Created: Mon May 20 04:07:50 2002
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.1.1"
gateway_enable="YES"
hostname="ZuanTiz.pacbell.net"
ifconfig_ep0="inet 192.168.1.88 netmask 255.255.255.0"
ifconfig_ep1="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="NO"
nfs_client_enable="YES"
nfs_reserved_port_only="YES"
nfs_server_enable="NO"
sendmail_enable="NO"
sshd_enable="YES"
natd_enable="YES"

#FreeBSD Manual pp505 example on firewalls
#firewall_enable="YES" #Set to YES to enable firewall functionality #1) killed nfs
#firewall_type="simple" # Fyrewall type (see /etc/rc.firewall) #1) killed nfs
#firewall_enable="YES" #2) killed nfs
gateway_enable="YES" #pp412 Set to yes if this host will be a gateway
firewall_type="/scripts/myfw1" #2)
#I've tried "open" "client" "simple"
natd_enable="YES" #pp597 Enable natd (if firewall wnable == YES)
natd_interface="ep1" #remind me to change it back to ep0
#ep0 192.168.1.88
#ep1 192.168.0.1
#pp 507 Public interface or IPaddress to



As you can see from some of the comments I can not mount my nfs share to this host while the firewall is enabled.


Here are my rules as called by firewall_type="/scripts/myfw1"

cat /scripts/myfw1:

#Forwarding IP
# My firewall rules to be executed by rc.conf
# The actual part will be defined as
# firewall_type="/scripts/myfw1" #my defined firewall
# Lets start
# Referred by # I will start by stating the examples so that we can
# get on the internet
# add 1000 allow tcp from any to 172.16.0.5 25 (just this port)
# add 1100 allow tcp from any to 172.16.0.4 21,22,23 (all these ports)
# add 1200 allow tcp from any to 172.16.0.5 1021-1023 (this range of ports)
# add 1300 deny udp from any to 192.168.0.5 1024:8 (deny these ports to this host)

#To allow incoming requests to my Samba Server
# do
ipfw add 1000 allow tcp from any to 192.168.0.22/24 137,139
ipfw add 1100 allow tcp from 192.168.0.1/24 to 192.168/24.0.33 2049,111
ipfw add 1200 allow udp from 192.168.0.1/24 to 192.168.0.33/24 2049,111
ipfw add 1300 allow tcp from 192.168.0.10/24 to 192.168.1.1/24 80
ipfw add 1400 allow udp from 192.168.1.10/24 to 192.168.1.1/24 80
ipfw add 1500 allow tcp from any to 192.168.1.88/24 22
ipfw add 1600 allow tcp from any to 192.168.0.1/24 22
ipfw add 1700 allow tcp from 192.168.0.1/24 to any 1-65525
ipfw add 1800 allow udp from 192.168.0.1/24 to any 1-65525
ipfw add 1900 allow tcp from 192.168.0.10/24 to any 1-65525
ipfw add 2000 allow udp from 192.168.0.10/24 to any 1-65525
ipfw add 2100 allow tcp from 192.168.0.12/24 to any 1-65525
ipfw add 2200 allow udp from 192.168.0.12/24 to any 1-65528
ipfw add 2300 allow tcp from 192.168.0.13/24 to any 1-65525
ipfw add 2400 allow udp from 192.168.0.13/24 to any 1-65525
ipfw add 2500 allow tcp from 192.168.0.14/24 to any 1-65525
ipfw add 2600 allow udp from 192.168.0.14/24 to any 1-65525
ipfw add 2700 allow tcp from 192.168.0.1/24 to 192.168.1.1/24 1-65525
ipfw add 2800 allow udp from 192.168.0.1/24 to 192.168.1.1/24 1-65525
ipfw add 2900 allow tcp from 192.168.1.88/24 to any 1-65525
ipfw add 3000 allow udp from 192.168.1.88/24 to any 1-6525
ipfw add 3100 allow tcp from 192.168.1.88/24 to 192.168.1.1/24 1-65525
ipfw add 3200 allow udp from 192.168.1.88/24 to 192.168.1/24.1-65525

Once the command ipfw list, ipfw -a, ipfw show is launched(after running kldload ipfw) then I get a list of the rules I'm trying to implement.
I just cant ping amywhere outside of that FreeBSD-BOX acting as my gateway.
Please help with some pointers.

I posted this before but this one is updated and I successfully recompiled my kernel with
the options:
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE_LIMIT=10
based on internet and book documentation.
I did find some documentaion that had an additional option
for:
options IPDIVERT
which the kernel shows when booting up anyways, I will recompile the kernel with that option if all else fails.
Just to add I do have experience forwarding ports with my linksys router. The Linksys router has very simple fields that anyone can figure out.
The ipfw rules should do the same thing, but what I dont get is why I cannot see the ports that I want to forward when I run nmap, or superscan which are port scanners and have always been reliable. Then only port those scanners show is 22 for ssh.
ssh is on the FreeBSD router. All of my other servers are on separate computers. I want to map those ports to my servers hosting samba, and http.
Please Help
xazax
 
Sort by date Sort by votes
This site covers recompiling your kernel to activate ipfw.

Ipfw is working, the problem that I am having is mapping the ports to the proper computers on the network so that they can have access to the internet.

I had just tried something to test that internally.

I added a static route on my linksys router which is connected to the wan on a pppoe server.

I divided my network into two subnets.
subnet 1 -> 192.168.1.0
subnet 2 -> 192.168.0.0

I have a windows98 machine connected to subnet 1. My samba server is connected to subnet2. My bsd box's primary network interface's ip is 192.168.1.2, and my secondary bsd box's ip is 192.168.0.1.

I can not only ping from one subnet to the other, but I can map the samba server as a network drive from the windows98 machine.

I know that my freeBSD firewall is allowing those packets to pass from one subnet to the other. The only problem is, that I cannot access Samba, Http, or Ftp from the WAN. If I specify a third static route using the WAN ip. It still fails.

I dont think I can find help here on this topic, especially if I keep getting referred to and
The problem is on my network and not on a website. I hate to say that I can find myself helping people, atleast give them
a point of reference to think and not just read sectionA,B,and C.

As Unix people we are all(or should be) thinkers, and not just manual readers. There are cases like this one that some of us are not advanced enuf to figure out on our own, but willing to go the extra ten-miles, to get things working.

I am not lazy, or want people to teach me how to read or think. I'v set up at least 98% of my network by myself by only reading one or two lines of manal pages, web sites if any.

I know several readers know the solution but have an attitude problem thinking that I am just another lame wanabe Unix user. Maybe Im a wanabe Master, but I am far beyond a lame user. I know Unix/Linux far better than many people in my city, and probably the surrounding cities.

That doesnt mean I have to be a snob, and hide my secrets from people. I help if I think I know something and usually find a good lead to solving a problem.

I would appreciate the same in return for my good samaritan courteus personality, otherwise the hell with you, cause Im pissed at many sarcastic, subcultured, elitist, readers who get on this site but ignore, are sarcastic, or link me some website that I already read b4 posting for help here.

Thanx for your help if you are a cool person.
 
Upvote 0 Downvote
Is the firewall by any chance performing NAT/PAT ? If so, you will need to setup natd (or ipnat) accordingly, to allow the packets to be translated from a 'public' IP address to a 'private' IP address. You might want to consider reading the natd(8) manpage
 
Upvote 0 Downvote
ThanX,

Yes it is running netd fine.

That part works good.

It just that when I run a port scan or try to run services through there they appear as closed.

If you look at the very top of this post, youll see my rc.conf file and see that natd is enabled along with other configs.

I do appreciate your question, its far better than what Ive had over 2 or 3 months since I posted this.

Ill check the natd(8) man page.

I doubt that Ill find any thing regarding ipfw, but Ill check it if you think it will help.
 
Upvote 0 Downvote
Hi there,

Are you forwading the packets through natd first?

You should have a rule simular to this ...

ipfw add 99 divert natd all from any to any via rl1

(where rl1 is external facing interface)

... near the start of the firewall rules. This will divert stuff through natd FIRST (for port forwading), then packets are passed to the firewall.

[afro] "Always know what you say, but don't always say what you know!"
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Krus1972
  • Locked
  • Question
Rewrite Rule for .htaccess Help
Replies
0
Views
72
Krus1972
Krus1972
hobbytech
  • Locked
  • Question
Internet not connecting
Replies
5
Views
77
Stephen_Hawk
Stephen_Hawk
AbidingDude
  • Locked
  • Question
Newbie Apache Cache Question
Replies
5
Views
117
AbidingDude
AbidingDude
harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
49
harro1968
harro1968
CecilXavier
  • Locked
  • Question
RHEL IDM with Radius not authenticating
Replies
0
Views
70
CecilXavier
CecilXavier

Part and Inventory Search

Sponsor

Back
Top