simple ipfw default rc.firewall

Reme · 10-15-2003, 08:07 AM

Running a default rc.firewall config. When i use an open type firewall everything works. However, when i use a simple type firewall i get an error like this when running the ping command.

ping: sendto: Permission denied

Since i cannot get a connection to my isp dns servers, none of the clients can pull up webpages. I have read that many people had this problem, but no answers were posted for replies. Could someone help me solve this very simple problem with ipfw's?

Thanks in advance.

bbeers · 10-15-2003, 11:34 AM

No help unless you can post your "default rc.firewall" and "simple type firewall"
so we can tell what you are doing.

What distribution are you using?

whistles · 10-15-2003, 12:14 PM

why don't you set your own rules? Instead of "open"(no firewall) or "client"... put the path to your rules and write a ruleset. It is very simple and will be suited to exactly what you need. there is a 3 or 4 part article that is very easy to understand and starts here--> http://www.onlamp.com/pub/a/bsd/2001...SD_Basics.html (onlamp has quite a few good articles ,although some are a little dated)

Reme · 10-15-2003, 09:02 PM

FreeBSD 5.0-RELEASE (MY2KERNEL) #0: Wed Oct 8 10:16:31 KST 2003

firewall_type="simple" # in rc.conf

Here is rc.firewall the tabs are a little screwed, sorry....

setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}

if [ -n "${1}" ]; then
firewall_type="${1}"
fi

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac

############
# Flush out the list before we begin.
#
${fwcmd} -f flush

############
# This is a prototype setup for a simple firewall. Configure this
# machine as a named server and ntp server, and point all the machines
# on the inside at this machine for those services.
############

# setting this to use DHCP to connect to the internet
oif="fxp0"
lease="/var/db/dhclient.leases"
oip=`grep fixed-address ${lease}|cut -d\; -f1|awk '{print $2}'|tail -1`
omask=`grep subnet-mask ${lease}|cut -d\; -f1|awk '{print $3}'|tail -1`
shortonet=`echo "$oip"|cut -d. -f1,2,3`
onet="$shortonet.0"
echo "DHCP onet = $onet"
echo "DHCP omask = $omask"
echo "DHCP oip = $oip"
sleep 4

# set these to your inside interface network and netmask and ip
iif="rl0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"

setup_loopback

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_
fi
;;
esac

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup

# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any

# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup

# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup

# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state

# Allow NTP queries out in the world
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state

# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;

Reme · 10-15-2003, 09:04 PM

Sorry but that is the section that is being loaded at start up, i also suck up the variables in rc.conf.