Re: Conceptual ipfw question under FreeBSD 5.2.1

From: Henri Hennebert (hlh_at_cocoon.cercle.be)
Date: 05/16/04 

Date: Sun, 16 May 2004 12:21:18 +0200

Neil Bradley wrote:
> I've had one of my techs install a FreeBSD 5.2.1 box (happens to be 8000
> miles away from me ;-) ). We've got everything set up and configured, but
> I'm still working through the firewalling issues. Each time I try to set up
> firewall rules, I wind up getting a network hang remotely (sendto:
> permission problems on the router's end), which means I botched the
the default rule is `deny ip from any to any'

so when you run the fw script, after `ipfw flush', the default rule
cut your remote connection... and the script is aberted, so the
following rules are not applied and your server is locked.

One solution is:

# batch
sh /etc/rc.firewall
^D

and wait... and check with `ipfw show'

> rc.firewall script. It's starting to get really old, so at this point
> there's something I'm not getting and am hoping someone can shed some light
> on the higher level concepts of ipfw. I had this system set up and working
> once before (dead hard drives and they were RAID 1 and I have no other
> backup) in much the same configuration:
>
> fxp0: Intranet (private network)
> fxp1: Internet (connected to DSL bridge)
> tun0: Link brought up by the PPPoE activation
> * We are running NAT (hence the 10.0.0.x private network) via
> "ppp -ddial -nat adsl"
>
> The goals are as follows:
>
> * I want traffic allowed to and from fxp1 to the internet (all ports, all
> protocols, everything)
fxp1 don't even need to have an IP address for PPPoE, you must think of
tun0 as your connection to internet.

allow ip from any to any via tun0

... you are really open !!!

> * I want traffic on the intranet (fxp0) to be able to go the router itself
> (all ports, all protocols, everything)

If you have nat_enable="YES" you must divert (options IPDEVERT in kernel
config is mandatory) your traffic through the nat daemon (natd):

add divert natd all from any to any recv tun0

> * I want *SOME* specific IP addresses to be able to get to the internet via
> the fxp1 interface

add divert natd all from 10.0.0.x to any xmit tun0
add divert natd all from 10.0.0.y to any xmit tun0

(I never tested this one...)
>
> My ifconfig looks like this (hackers, don't bother trying the IP addresses -
> they're floating and no services other than sshd are running currently):
>
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255
> ether 00:90:27:28:80:72
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> ether 00:90:27:28:80:58
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet 127.0.0.1 netmask 0xff000000
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
> inet 61.149.104.77 --> 61.149.104.1 netmask 0xffffffff
> Opened by PID 3212
>
> So a few questions:
>
> * If I run with the -nat option on ppp, the routing between the interfaces
> works as expected (with no firewall, of course). If I attempt to run natd
> via natd_enable in rc.conf and just ppp without the -nat option, I can't get
> packets from the fxp0 interface to the internet, but I can get to the
> internet via the console of the machine. Which is the right way to do it -
> with the -nat option on the ppp command line or via natd_enable?

divert natd must solve this issue.

>
> * When considering firewalling, do I specifically need to do a global
> allow/deny on any particular interface? e.g. From tun0 -> everywhere and
> everywhere ->tun0? Do I set rules based on IP or interfaces? It does sound

interface seems good to me.

> like it'd be a bit of both. I want the whole universe to be able to access
> the machine from the intranet (fxp0), but only route packets to the internet
> (fxp1 or tun0?) for some IP addresses.
>
see above...

Henri

> I'm a bit at a loss as to how to set things up. fxp1 Doesn't appear to be in
> the operation, as the ppp link will pass everything around even if I don't
> assign it an IP address and netmask. I would've figured fxp1 would wind up
> with the IP address of what tun0 has, so I'/m really, really confused.
>
> Does anyone have any idea how to go about what I'm trying to do, or perhaps
> know of a good ppp/natd/ipfw primer? Thanks in advance!
>
> -->Neil
>
>
>