netbsd-help: getting the firewall working

Subject: getting the firewall working
To: None <netbsd-help@netbsd.org>
From: Sam Carleton <sam@linux-info.net>
List: netbsd-help
Date: 12/24/2002 20:12:29
Folks,

I posted earlier asking about getting routing working, but it
turned out to be a problem with my firewall.  I am anything
but an export on configuring firewalls.  Now I am completely
stumped, I am hoping that someone can help me out a bit...

I added a third NIC to my firewall yesterday.  The objective
is to have one server network (172.16.0.0/24 on ex1) for my
web/mail/ftp server and then have a private network
(192.168.0.1/24 on ex0) for my clients.  

As the firewall stands now both networks are able to get to
the Internet and it looks like the Internet can get to the
Server network.  The Server network is able to ping a machine
on the private network.  But the private network is not able
to ping the Server network.  

* The big issue I am dealing with is the inability for the
* private network (ex0) to get to the server network (ex1).

But while I had year ear, or in this case eyes and brain, I
thought I might get help with my next step in configuring the
firewall:

The Server network (ex1) has zero need to initiate a
connection with the Internet other then to relay mail to my
ISP's mail server.  Ideally I would like to prevent ANYTHING
from getting out of the Server network (ex1) other then SMTP
to the ISP's server.

Below is both my ipnat.conf and my ipf.conf.  As it stands now
it is allowing all traffic to flow from the server network
(ex1) to the private network (ex0).  

Can some kind sole enlighten me as to why the private network
(ex0) is not able to ping the server (the firewall can ping
the server, though).  And also educate me as to the best way
to lock down the server network.

Thanks a millon!!!
Sam

   
  --------------------ipnat.conf-------------------------
rdr ex0 0/0 port 80 -> 192.168.0.1 port 3128 tcp

map iy0 0/0 -> 0/32 proxy port ftp ftp/tcp
map iy0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
map iy0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40001:60000
map iy0 192.168.0.1/24 -> 0/32

map iy0 172.16.0.1/24 -> 0/32 proxy port ftp ftp/tcp
map iy0 172.16.0.1/24 -> 0/32 portmap tcp/udp 20000:40000
map iy0 172.16.0.1/24 -> 0/32

   rdr iy0 0/0 port 21  -> 172.16.0.2 port 21
   rdr iy0 0/0 port 22  -> 172.16.0.2 port 22
   rdr iy0 0/0 port 25  -> 172.16.0.2 port 25
   rdr iy0 0/0 port 80  -> 172.16.0.2 port 80 tcp
  --------------------ipf.conf---------------------------
  pass in quick on lo0
  block in on iy0 all head 1

  block in quick on iy0 from 0.0.0.0/7 to any group 1
  block in quick on iy0 from 2.0.0.0/8 to any group 1
  block in quick on iy0 from 5.0.0.0/8 to any group 1
  block in quick on iy0 from 10.0.0.0/8 to any group 1
  block in quick on iy0 from 23.0.0.0/8 to any group 1
  block in quick on iy0 from 27.0.0.0/8 to any group 1
  block in quick on iy0 from 31.0.0.0/8 to any group 1
  block in quick on iy0 from 69.0.0.0/8 to any group 1
  block in quick on iy0 from 70.0.0.0/7 to any group 1
  block in quick on iy0 from 72.0.0.0/5 to any group 1
  block in quick on iy0 from 82.0.0.0/7 to any group 1
  block in quick on iy0 from 84.0.0.0/6 to any group 1
  block in quick on iy0 from 88.0.0.0/5 to any group 1
  block in quick on iy0 from 96.0.0.0/3 to any group 1
  block in quick on iy0 from 127.0.0.0/8 to any group 1
  block in quick on iy0 from 128.0.0.0/16 to any group 1
  block in quick on iy0 from 128.66.0.0/16 to any group 1
  block in quick on iy0 from 169.254.0.0/16 to any group 1
  block in quick on iy0 from 172.16.0.0/12 to any group 1
  block in quick on iy0 from 191.255.0.0/16 to any group 1
  block in quick on iy0 from 192.0.0.0/16 to any group 1
  block in quick on iy0 from 192.168.0.0/16 to any group 1
  block in quick on iy0 from 197.0.0.0/8 to any group 1
  block in quick on iy0 from 201.0.0.0/8 to any group 1
  block in quick on iy0 from 204.152.64.0/23 to any group 1
  block in quick on iy0 from 224.0.0.0/3 to any group 1

# allow everything to keep coming or going if it has already started
  pass out quick on iy0 proto tcp/udp from 0/0 to any keep state group 1
  pass out quick on iy0 proto icmp from 0/0 to any keep state group 1

# allow DHCP to come into the system when there is no IP address
  pass in  quick on iy0 proto tcp/udp from any port = 67 to 255.255.255.255 port = 68 keep state group 1
  pass out quick on iy0 proto tcp/udp from any port = 68 to 255.255.255.255 port = 67 keep state group 1

# allow everything out of ex0
  pass in on ex0 all head 10
  pass in on ex1 all

# block all traffic to AOL IM Logreturn-icmp(0) in server
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.161.185/32
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.161.153/32

# Block all trafic to AOL Servers, one of these will cut off AIM
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.24.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.25.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.26.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.27.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.28.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.29.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 205.138.3.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 205.138.4.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 205.138.5.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 205.138.6.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 205.188.7.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 205.188.8.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 205.188.9.0/24
  block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 205.188.10.0/24

# allow all traffic on internal NIC
  pass out quick on ex0 
  pass out quick on ex1

## allow the services to come into sunflower
  pass in quick on iy0 proto tcp from any to 172.16.0.2/32 port = 21 flags S keep state group 1
  pass in quick on iy0 proto tcp from any to 172.16.0.2/32 port = 22 flags S keep state group 1
  pass in quick on iy0 proto tcp from any to 172.16.0.2/32 port = 25 flags S keep state group 1
  pass in quick on iy0 proto tcp from any to 172.16.0.2/32 port = 80 flags S keep state group 1
  pass in quick on iy0 proto tcp from any to 172.16.0.2/32 port 26000 >< 32000 flags S keep state group 1

# Allow ident to come in for things like IRC
  pass in quick on iy0 proto tcp from any to any port = 113 group 1

# allow in any traffic coming to this machine because
# there is a block a little father down stopping all
# other 192.168.0.0/16 packets
  pass in quick on ex0 from any to 192.168.0.1/32 group 10
  pass in quick on ex0 from any to 172.16.0.0/24 group 10

  block return-icmp(0) in quick on ex0 from any to 0.0.0.0/7 group 10
  block return-icmp(0) in quick on ex0 from any to 2.0.0.0/8 group 10
  block return-icmp(0) in quick on ex0 from any to 5.0.0.0/8 group 10
  block return-icmp(0) in quick on ex0 from any to 10.0.0.0/8 group 10
  block return-icmp(0) in quick on ex0 from any to 23.0.0.0/8 group 10
  block return-icmp(0) in quick on ex0 from any to 27.0.0.0/8 group 10
  block return-icmp(0) in quick on ex0 from any to 31.0.0.0/8 group 10
  block return-icmp(0) in quick on ex0 from any to 69.0.0.0/8 group 10
  block return-icmp(0) in quick on ex0 from any to 70.0.0.0/7 group 10
  block return-icmp(0) in quick on ex0 from any to 72.0.0.0/5 group 10
  block return-icmp(0) in quick on ex0 from any to 82.0.0.0/7 group 10
  block return-icmp(0) in quick on ex0 from any to 84.0.0.0/6 group 10
  block return-icmp(0) in quick on ex0 from any to 88.0.0.0/5 group 10
  block return-icmp(0) in quick on ex0 from any to 96.0.0.0/3 group 10
  block return-icmp(0) in quick on ex0 from any to 127.0.0.0/8 group 10
  block return-icmp(0) in quick on ex0 from any to 128.0.0.0/16 group 10
  block return-icmp(0) in quick on ex0 from any to 128.66.0.0/16 group 10
  block return-icmp(0) in quick on ex0 from any to 169.254.0.0/16 group 10
# block return-icmp(0) in quick on ex0 from any to 172.16.0.0/12 group 10
  block return-icmp(0) in quick on ex0 from any to 191.255.0.0/16 group 10
  block return-icmp(0) in quick on ex0 from any to 192.0.0.0/16 group 10
  block return-icmp(0) in quick on ex0 from any to 192.168.0.0/16 group 10
  block return-icmp(0) in quick on ex0 from any to 197.0.0.0/8 group 10
  block return-icmp(0) in quick on ex0 from any to 201.0.0.0/8 group 10
  block return-icmp(0) in quick on ex0 from any to 204.152.64.0/23 group 10
  block return-icmp(0) in quick on ex0 from any to 224.0.0.0/3 group 10

# Allow everything else in from the internal network
  pass in quick on ex0 
  pass in quick on ex1