netbsd-help: Re: getting the firewall working

Subject: Re: getting the firewall working
To: Sam Carleton <sam@linux-info.net>
From: None <netbsd@ns.purk.ee>
List: netbsd-help
Date: 12/25/2002 13:23:02
Hi
Good place to ask this kind of questions is ipfilter list ;-) You should subscribe!
well..i use this rule for my internal network.

pass out log quick on fxp1 proto icmp from 192.168.3.0/24 to any keep state

Greetings


Tsiteerimine Sam Carleton <sam@linux-info.net>:

> Folks,
> 
> I posted earlier asking about getting routing working, but it
> turned out to be a problem with my firewall.  I am anything
> but an export on configuring firewalls.  Now I am completely
> stumped, I am hoping that someone can help me out a bit...
> 
> I added a third NIC to my firewall yesterday.  The objective
> is to have one server network (172.16.0.0/24 on ex1) for my
> web/mail/ftp server and then have a private network
> (192.168.0.1/24 on ex0) for my clients.  
> 
> As the firewall stands now both networks are able to get to
> the Internet and it looks like the Internet can get to the
> Server network.  The Server network is able to ping a machine
> on the private network.  But the private network is not able
> to ping the Server network.  
> 
> * The big issue I am dealing with is the inability for the
> * private network (ex0) to get to the server network (ex1).
> 
> But while I had year ear, or in this case eyes and brain, I
> thought I might get help with my next step in configuring the
> firewall:
> 
> The Server network (ex1) has zero need to initiate a
> connection with the Internet other then to relay mail to my
> ISP's mail server.  Ideally I would like to prevent ANYTHING
> from getting out of the Server network (ex1) other then SMTP
> to the ISP's server.
> 
> Below is both my ipnat.conf and my ipf.conf.  As it stands now
> it is allowing all traffic to flow from the server network
> (ex1) to the private network (ex0).  
> 
> Can some kind sole enlighten me as to why the private network
> (ex0) is not able to ping the server (the firewall can ping
> the server, though).  And also educate me as to the best way
> to lock down the server network.
> 
> Thanks a millon!!!
> Sam
> 
>    
>   --------------------ipnat.conf-------------------------
> rdr ex0 0/0 port 80 -> 192.168.0.1 port 3128 tcp
> 
> map iy0 0/0 -> 0/32 proxy port ftp ftp/tcp
> map iy0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
> map iy0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40001:60000
> map iy0 192.168.0.1/24 -> 0/32
> 
> map iy0 172.16.0.1/24 -> 0/32 proxy port ftp ftp/tcp
> map iy0 172.16.0.1/24 -> 0/32 portmap tcp/udp 20000:40000
> map iy0 172.16.0.1/24 -> 0/32
> 
>    rdr iy0 0/0 port 21  -> 172.16.0.2 port 21
>    rdr iy0 0/0 port 22  -> 172.16.0.2 port 22
>    rdr iy0 0/0 port 25  -> 172.16.0.2 port 25
>    rdr iy0 0/0 port 80  -> 172.16.0.2 port 80 tcp
>   --------------------ipf.conf---------------------------
>   pass in quick on lo0
>   block in on iy0 all head 1
> 
>   block in quick on iy0 from 0.0.0.0/7 to any group 1
>   block in quick on iy0 from 2.0.0.0/8 to any group 1
>   block in quick on iy0 from 5.0.0.0/8 to any group 1
>   block in quick on iy0 from 10.0.0.0/8 to any group 1
>   block in quick on iy0 from 23.0.0.0/8 to any group 1
>   block in quick on iy0 from 27.0.0.0/8 to any group 1
>   block in quick on iy0 from 31.0.0.0/8 to any group 1
>   block in quick on iy0 from 69.0.0.0/8 to any group 1
>   block in quick on iy0 from 70.0.0.0/7 to any group 1
>   block in quick on iy0 from 72.0.0.0/5 to any group 1
>   block in quick on iy0 from 82.0.0.0/7 to any group 1
>   block in quick on iy0 from 84.0.0.0/6 to any group 1
>   block in quick on iy0 from 88.0.0.0/5 to any group 1
>   block in quick on iy0 from 96.0.0.0/3 to any group 1
>   block in quick on iy0 from 127.0.0.0/8 to any group 1
>   block in quick on iy0 from 128.0.0.0/16 to any group 1
>   block in quick on iy0 from 128.66.0.0/16 to any group 1
>   block in quick on iy0 from 169.254.0.0/16 to any group 1
>   block in quick on iy0 from 172.16.0.0/12 to any group 1
>   block in quick on iy0 from 191.255.0.0/16 to any group 1
>   block in quick on iy0 from 192.0.0.0/16 to any group 1
>   block in quick on iy0 from 192.168.0.0/16 to any group 1
>   block in quick on iy0 from 197.0.0.0/8 to any group 1
>   block in quick on iy0 from 201.0.0.0/8 to any group 1
>   block in quick on iy0 from 204.152.64.0/23 to any group 1
>   block in quick on iy0 from 224.0.0.0/3 to any group 1
> 
> # allow everything to keep coming or going if it has already started
>   pass out quick on iy0 proto tcp/udp from 0/0 to any keep state group 1
>   pass out quick on iy0 proto icmp from 0/0 to any keep state group 1
> 
> # allow DHCP to come into the system when there is no IP address
>   pass in  quick on iy0 proto tcp/udp from any port = 67 to 255.255.255.255
> port = 68 keep state group 1
>   pass out quick on iy0 proto tcp/udp from any port = 68 to 255.255.255.255
> port = 67 keep state group 1
> 
> # allow everything out of ex0
>   pass in on ex0 all head 10
>   pass in on ex1 all
> 
> # block all traffic to AOL IM Logreturn-icmp(0) in server
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to
> 64.12.161.185/32
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to
> 64.12.161.153/32
> 
> # Block all trafic to AOL Servers, one of these will cut off AIM
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.24.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.25.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.26.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.27.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.28.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to 64.12.29.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to
> 205.138.3.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to
> 205.138.4.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to
> 205.138.5.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to
> 205.138.6.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to
> 205.188.7.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to
> 205.188.8.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to
> 205.188.9.0/24
>   block return-icmp(0) in quick on ex0 from 192.168.0.0/24 to
> 205.188.10.0/24
> 
> # allow all traffic on internal NIC
>   pass out quick on ex0 
>   pass out quick on ex1
> 
> ## allow the services to come into sunflower
>   pass in quick on iy0 proto tcp from any to 172.16.0.2/32 port = 21 flags S
> keep state group 1
>   pass in quick on iy0 proto tcp from any to 172.16.0.2/32 port = 22 flags S
> keep state group 1
>   pass in quick on iy0 proto tcp from any to 172.16.0.2/32 port = 25 flags S
> keep state group 1
>   pass in quick on iy0 proto tcp from any to 172.16.0.2/32 port = 80 flags S
> keep state group 1
>   pass in quick on iy0 proto tcp from any to 172.16.0.2/32 port 26000 ><
> 32000 flags S keep state group 1
> 
> # Allow ident to come in for things like IRC
>   pass in quick on iy0 proto tcp from any to any port = 113 group 1
> 
> # allow in any traffic coming to this machine because
> # there is a block a little father down stopping all
> # other 192.168.0.0/16 packets
>   pass in quick on ex0 from any to 192.168.0.1/32 group 10
>   pass in quick on ex0 from any to 172.16.0.0/24 group 10
> 
>   block return-icmp(0) in quick on ex0 from any to 0.0.0.0/7 group 10
>   block return-icmp(0) in quick on ex0 from any to 2.0.0.0/8 group 10
>   block return-icmp(0) in quick on ex0 from any to 5.0.0.0/8 group 10
>   block return-icmp(0) in quick on ex0 from any to 10.0.0.0/8 group 10
>   block return-icmp(0) in quick on ex0 from any to 23.0.0.0/8 group 10
>   block return-icmp(0) in quick on ex0 from any to 27.0.0.0/8 group 10
>   block return-icmp(0) in quick on ex0 from any to 31.0.0.0/8 group 10
>   block return-icmp(0) in quick on ex0 from any to 69.0.0.0/8 group 10
>   block return-icmp(0) in quick on ex0 from any to 70.0.0.0/7 group 10
>   block return-icmp(0) in quick on ex0 from any to 72.0.0.0/5 group 10
>   block return-icmp(0) in quick on ex0 from any to 82.0.0.0/7 group 10
>   block return-icmp(0) in quick on ex0 from any to 84.0.0.0/6 group 10
>   block return-icmp(0) in quick on ex0 from any to 88.0.0.0/5 group 10
>   block return-icmp(0) in quick on ex0 from any to 96.0.0.0/3 group 10
>   block return-icmp(0) in quick on ex0 from any to 127.0.0.0/8 group 10
>   block return-icmp(0) in quick on ex0 from any to 128.0.0.0/16 group 10
>   block return-icmp(0) in quick on ex0 from any to 128.66.0.0/16 group 10
>   block return-icmp(0) in quick on ex0 from any to 169.254.0.0/16 group 10
> # block return-icmp(0) in quick on ex0 from any to 172.16.0.0/12 group 10
>   block return-icmp(0) in quick on ex0 from any to 191.255.0.0/16 group 10
>   block return-icmp(0) in quick on ex0 from any to 192.0.0.0/16 group 10
>   block return-icmp(0) in quick on ex0 from any to 192.168.0.0/16 group 10
>   block return-icmp(0) in quick on ex0 from any to 197.0.0.0/8 group 10
>   block return-icmp(0) in quick on ex0 from any to 201.0.0.0/8 group 10
>   block return-icmp(0) in quick on ex0 from any to 204.152.64.0/23 group 10
>   block return-icmp(0) in quick on ex0 from any to 224.0.0.0/3 group 10
> 
> # Allow everything else in from the internal network
>   pass in quick on ex0 
>   pass in quick on ex1 
> 
> 




---------------------------------------------
Powered By "NetBSD" http://www.netbsd.org/