This is my firewall configureation on FreeBSD 4.4 below.
cat /etc/rc.conf:
# -- sysinstall generated deltas -- # Mon May 20 04:07:50 2002
# Created: Mon May 20 04:07:50 2002
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.1.1"
gateway_enable="YES"
hostname="ZuanTiz.pacbell.net"
ifconfig_ep0="inet 192.168.1.88 netmask 255.255.255.0"
ifconfig_ep1="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="NO"
nfs_client_enable="YES"
nfs_reserved_port_only="YES"
nfs_server_enable="NO"
sendmail_enable="NO"
sshd_enable="YES"
natd_enable="YES"
#FreeBSD Manual pp505 example on firewalls
#firewall_enable="YES" #Set to YES to enable firewall functionality #1) killed nfs
#firewall_type="simple" # Fyrewall type (see /etc/rc.firewall) #1) killed nfs
#firewall_enable="YES" #2) killed nfs
gateway_enable="YES" #pp412 Set to yes if this host will be a gateway
firewall_type="/scripts/myfw1" #2)
#I've tried "open" "client" "simple"
natd_enable="YES" #pp597 Enable natd (if firewall wnable == YES)
natd_interface="ep1" #remind me to change it back to ep0
#ep0 192.168.1.88
#ep1 192.168.0.1
#pp 507 Public interface or IPaddress to
As you can see from some of the comments I can not mount my nfs share to this host while the firewall is enabled.
Here are my rules as called by firewall_type="/scripts/myfw1"
cat /scripts/myfw1:
#Forwarding IP
# My firewall rules to be executed by rc.conf
# The actual part will be defined as
# firewall_type="/scripts/myfw1" #my defined firewall
# Lets start
# Referred by # I will start by stating the examples so that we can
# get on the internet
# add 1000 allow tcp from any to 172.16.0.5 25 (just this port)
# add 1100 allow tcp from any to 172.16.0.4 21,22,23 (all these ports)
# add 1200 allow tcp from any to 172.16.0.5 1021-1023 (this range of ports)
# add 1300 deny udp from any to 192.168.0.5 1024:8 (deny these ports to this host)
#To allow incoming requests to my Samba Server
# do
ipfw add 1000 allow tcp from any to 192.168.0.22/24 137,139
ipfw add 1100 allow tcp from 192.168.0.1/24 to 192.168/24.0.33 2049,111
ipfw add 1200 allow udp from 192.168.0.1/24 to 192.168.0.33/24 2049,111
ipfw add 1300 allow tcp from 192.168.0.10/24 to 192.168.1.1/24 80
ipfw add 1400 allow udp from 192.168.1.10/24 to 192.168.1.1/24 80
ipfw add 1500 allow tcp from any to 192.168.1.88/24 22
ipfw add 1600 allow tcp from any to 192.168.0.1/24 22
ipfw add 1700 allow tcp from 192.168.0.1/24 to any 1-65525
ipfw add 1800 allow udp from 192.168.0.1/24 to any 1-65525
ipfw add 1900 allow tcp from 192.168.0.10/24 to any 1-65525
ipfw add 2000 allow udp from 192.168.0.10/24 to any 1-65525
ipfw add 2100 allow tcp from 192.168.0.12/24 to any 1-65525
ipfw add 2200 allow udp from 192.168.0.12/24 to any 1-65528
ipfw add 2300 allow tcp from 192.168.0.13/24 to any 1-65525
ipfw add 2400 allow udp from 192.168.0.13/24 to any 1-65525
ipfw add 2500 allow tcp from 192.168.0.14/24 to any 1-65525
ipfw add 2600 allow udp from 192.168.0.14/24 to any 1-65525
ipfw add 2700 allow tcp from 192.168.0.1/24 to 192.168.1.1/24 1-65525
ipfw add 2800 allow udp from 192.168.0.1/24 to 192.168.1.1/24 1-65525
ipfw add 2900 allow tcp from 192.168.1.88/24 to any 1-65525
ipfw add 3000 allow udp from 192.168.1.88/24 to any 1-6525
ipfw add 3100 allow tcp from 192.168.1.88/24 to 192.168.1.1/24 1-65525
ipfw add 3200 allow udp from 192.168.1.88/24 to 192.168.1/24.1-65525
Once the command ipfw list, ipfw -a, ipfw show is launched(after running kldload ipfw) then I get a list of the rules I'm trying to implement.
I just cant ping amywhere outside of that FreeBSD-BOX acting as my gateway.
Please help with some pointers.
I posted this before but this one is updated and I successfully recompiled my kernel with
the options:
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE_LIMIT=10
based on internet and book documentation.
I did find some documentaion that had an additional option
for:
options IPDIVERT
which the kernel shows when booting up anyways, I will recompile the kernel with that option if all else fails.
Just to add I do have experience forwarding ports with my linksys router. The Linksys router has very simple fields that anyone can figure out.
The ipfw rules should do the same thing, but what I dont get is why I cannot see the ports that I want to forward when I run nmap, or superscan which are port scanners and have always been reliable. Then only port those scanners show is 22 for ssh.
ssh is on the FreeBSD router. All of my other servers are on separate computers. I want to map those ports to my servers hosting samba, and http.
Please Help
xazax
cat /etc/rc.conf:
# -- sysinstall generated deltas -- # Mon May 20 04:07:50 2002
# Created: Mon May 20 04:07:50 2002
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.1.1"
gateway_enable="YES"
hostname="ZuanTiz.pacbell.net"
ifconfig_ep0="inet 192.168.1.88 netmask 255.255.255.0"
ifconfig_ep1="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="NO"
nfs_client_enable="YES"
nfs_reserved_port_only="YES"
nfs_server_enable="NO"
sendmail_enable="NO"
sshd_enable="YES"
natd_enable="YES"
#FreeBSD Manual pp505 example on firewalls
#firewall_enable="YES" #Set to YES to enable firewall functionality #1) killed nfs
#firewall_type="simple" # Fyrewall type (see /etc/rc.firewall) #1) killed nfs
#firewall_enable="YES" #2) killed nfs
gateway_enable="YES" #pp412 Set to yes if this host will be a gateway
firewall_type="/scripts/myfw1" #2)
#I've tried "open" "client" "simple"
natd_enable="YES" #pp597 Enable natd (if firewall wnable == YES)
natd_interface="ep1" #remind me to change it back to ep0
#ep0 192.168.1.88
#ep1 192.168.0.1
#pp 507 Public interface or IPaddress to
As you can see from some of the comments I can not mount my nfs share to this host while the firewall is enabled.
Here are my rules as called by firewall_type="/scripts/myfw1"
cat /scripts/myfw1:
#Forwarding IP
# My firewall rules to be executed by rc.conf
# The actual part will be defined as
# firewall_type="/scripts/myfw1" #my defined firewall
# Lets start
# Referred by # I will start by stating the examples so that we can
# get on the internet
# add 1000 allow tcp from any to 172.16.0.5 25 (just this port)
# add 1100 allow tcp from any to 172.16.0.4 21,22,23 (all these ports)
# add 1200 allow tcp from any to 172.16.0.5 1021-1023 (this range of ports)
# add 1300 deny udp from any to 192.168.0.5 1024:8 (deny these ports to this host)
#To allow incoming requests to my Samba Server
# do
ipfw add 1000 allow tcp from any to 192.168.0.22/24 137,139
ipfw add 1100 allow tcp from 192.168.0.1/24 to 192.168/24.0.33 2049,111
ipfw add 1200 allow udp from 192.168.0.1/24 to 192.168.0.33/24 2049,111
ipfw add 1300 allow tcp from 192.168.0.10/24 to 192.168.1.1/24 80
ipfw add 1400 allow udp from 192.168.1.10/24 to 192.168.1.1/24 80
ipfw add 1500 allow tcp from any to 192.168.1.88/24 22
ipfw add 1600 allow tcp from any to 192.168.0.1/24 22
ipfw add 1700 allow tcp from 192.168.0.1/24 to any 1-65525
ipfw add 1800 allow udp from 192.168.0.1/24 to any 1-65525
ipfw add 1900 allow tcp from 192.168.0.10/24 to any 1-65525
ipfw add 2000 allow udp from 192.168.0.10/24 to any 1-65525
ipfw add 2100 allow tcp from 192.168.0.12/24 to any 1-65525
ipfw add 2200 allow udp from 192.168.0.12/24 to any 1-65528
ipfw add 2300 allow tcp from 192.168.0.13/24 to any 1-65525
ipfw add 2400 allow udp from 192.168.0.13/24 to any 1-65525
ipfw add 2500 allow tcp from 192.168.0.14/24 to any 1-65525
ipfw add 2600 allow udp from 192.168.0.14/24 to any 1-65525
ipfw add 2700 allow tcp from 192.168.0.1/24 to 192.168.1.1/24 1-65525
ipfw add 2800 allow udp from 192.168.0.1/24 to 192.168.1.1/24 1-65525
ipfw add 2900 allow tcp from 192.168.1.88/24 to any 1-65525
ipfw add 3000 allow udp from 192.168.1.88/24 to any 1-6525
ipfw add 3100 allow tcp from 192.168.1.88/24 to 192.168.1.1/24 1-65525
ipfw add 3200 allow udp from 192.168.1.88/24 to 192.168.1/24.1-65525
Once the command ipfw list, ipfw -a, ipfw show is launched(after running kldload ipfw) then I get a list of the rules I'm trying to implement.
I just cant ping amywhere outside of that FreeBSD-BOX acting as my gateway.
Please help with some pointers.
I posted this before but this one is updated and I successfully recompiled my kernel with
the options:
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE_LIMIT=10
based on internet and book documentation.
I did find some documentaion that had an additional option
for:
options IPDIVERT
which the kernel shows when booting up anyways, I will recompile the kernel with that option if all else fails.
Just to add I do have experience forwarding ports with my linksys router. The Linksys router has very simple fields that anyone can figure out.
The ipfw rules should do the same thing, but what I dont get is why I cannot see the ports that I want to forward when I run nmap, or superscan which are port scanners and have always been reliable. Then only port those scanners show is 22 for ssh.
ssh is on the FreeBSD router. All of my other servers are on separate computers. I want to map those ports to my servers hosting samba, and http.
Please Help
xazax