Re: Which interface do I put natd and ipfw
Hi Lowell, Thanks for the info. You are right. I don't need the ip address for the external interface in order to configure the firewall. I couldn't understand the sample files that came with ipfw. I thought I had to follow the sample file the way it was given. Now I know I can change it to the way I want. Thanks once again. regds ed On Tue, 3 Feb 2004 12:40 am, you wrote: > Emmanuel Dwamena <[EMAIL PROTECTED]> writes: > > I need help to set up firewall on my freebsd 5.1 box. I have built new > > kernel with ipfw enabled and is working fine. > > I need to know which of the 3 interfaces do I put the natd and ipfw. > > My freebsd 5.1 box has 2 nic cards. ed0 connects to LAN and ed1 connects > > to adsl modem. I use user ppp to setup the connection to the isp who > > assigns dynamic ip address to the tun0 interface. I have no ip address > > assigned to ed1. I have traffc coming in through the tun0 from outside > > to the LAN. Which of the interfaces do I use to block unwanted traffic > > from the internet.- ed1 or tun0? > > tun0 > > > How do I configure the tun0 interface for the firewall since I > > do not know the interface address before hand? > > You have two choices; either don't use the address in the firewall > setup at all (it isn't really useful...) or use the "me" keyword for > the address (see ipfw(8)). > > > Secondly which interface do I > > place natd? > > tun0 -- email: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Which interface do I put natd and ipfw
t out. # This rule enforces the block all by default logic. $cmd 00299 deny log all from any to any out via $pif # # Interface facing Public internet (Inbound Section) # Interrogate packets originating from the public internet # destine for this gateway server or the private network. # # Deny all inbound traffic from non-routable reserved address spaces $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 00306 deny all from 192.0.2.0/24to any in via $pif #reserved for doc's $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny public pings $cmd 00310 deny icmp from any to any in via $pif # Deny ident $cmd 00315 deny tcp from any to any 113 in via $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 00320 deny tcp from any to any 137 in via $pif $cmd 00321 deny tcp from any to any 138 in via $pif $cmd 00322 deny tcp from any to any 139 in via $pif $cmd 00323 deny tcp from any to any 81 in via $pif # Deny any late arriving packets $cmd 00330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 00332 deny tcp from any to any established in via $pif # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for 'user ppp' type connection to # the public internet. This is the same IP address you captured # and used in the outbound section. #$cmd 00360 allow udp from any to xxx.xxx.xxx.xxx 67 in via $pif keep-state # Allow in standard www function because I have apache server $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet $cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID & PW are passed over public # internet as clear text. # Delete this sample group if you do not have telnet server enabled. $cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2 # Reject & Log all incoming connections from the outside $cmd 00499 deny log all from any to any in via $pif # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 00999 deny log all from any to any End of IPFW rules file ### You have to use an crossover cable to connect your single Lan pc to your FBSD gateway pc. -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Emmanuel Dwamena Sent: Monday, February 02, 2004 7:45 AM To: [EMAIL PROTECTED] Subject: Re: Which interface do I put natd and ipfw Dear friends, I need help to set up firewall on my freebsd 5.1 box. I have built new kernel with ipfw enabled and is working fine. I need to know which of the 3 interfaces do I put the natd and ipfw. My freebsd 5.1 box has 2 nic cards. ed0 connects to LAN and ed1 connects to adsl modem. I use user ppp to setup the connection to the isp who assigns dynamic ip address to the tun0 interface. I have no ip address assigned to ed1. I have traffc coming in through the tun0 from outside to the LAN. Which of the interfaces do I use to block unwanted traffic from the internet.- ed1 or tun0? How do I configure the tun0 interface for the firewall since I do not know the interface address before hand? Secondly which interface do I place natd? If anyone has configured adsl with dynamic ip address assigned to tun0 I will like to have some info about how it was configured with ipfw. regds ed -- email: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Which interface do I put natd and ipfw
Emmanuel Dwamena <[EMAIL PROTECTED]> writes: > I need help to set up firewall on my freebsd 5.1 box. I have built new kernel > with ipfw enabled and is working fine. > I need to know which of the 3 interfaces do I put the natd and ipfw. > My freebsd 5.1 box has 2 nic cards. ed0 connects to LAN and ed1 connects to > adsl modem. I use user ppp to setup the connection to the isp who assigns > dynamic ip address to the tun0 interface. I have no ip address assigned to > ed1. I have traffc coming in through the tun0 from outside to the LAN. Which > of the interfaces do I use to block unwanted traffic from the internet.- ed1 > or tun0? tun0 > How do I configure the tun0 interface for the firewall since I do > not know the interface address before hand? You have two choices; either don't use the address in the firewall setup at all (it isn't really useful...) or use the "me" keyword for the address (see ipfw(8)). > Secondly which interface do I > place natd? tun0 -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password "public" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Which interface do I put natd and ipfw
Check this doc out: http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html Extech *** REPLY SEPARATOR *** On 2004/02/02 at 23:44 Emmanuel Dwamena wrote: >Dear friends, >I need help to set up firewall on my freebsd 5.1 box. I have built new >kernel >with ipfw enabled and is working fine. >I need to know which of the 3 interfaces do I put the natd and ipfw. >My freebsd 5.1 box has 2 nic cards. ed0 connects to LAN and ed1 connects >to >adsl modem. I use user ppp to setup the connection to the isp who assigns >dynamic ip address to the tun0 interface. I have no ip address assigned to >ed1. I have traffc coming in through the tun0 from outside to the LAN. >Which >of the interfaces do I use to block unwanted traffic from the internet.- >ed1 >or tun0? How do I configure the tun0 interface for the firewall since I do >not know the interface address before hand? Secondly which interface do I >place natd? >If anyone has configured adsl with dynamic ip address assigned to tun0 I >will >like to have some info about how it was configured with ipfw. >regds >ed >-- >email: [EMAIL PROTECTED] > >___ >[EMAIL PROTECTED] mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Which interface do I put natd and ipfw
Dear friends, I need help to set up firewall on my freebsd 5.1 box. I have built new kernel with ipfw enabled and is working fine. I need to know which of the 3 interfaces do I put the natd and ipfw. My freebsd 5.1 box has 2 nic cards. ed0 connects to LAN and ed1 connects to adsl modem. I use user ppp to setup the connection to the isp who assigns dynamic ip address to the tun0 interface. I have no ip address assigned to ed1. I have traffc coming in through the tun0 from outside to the LAN. Which of the interfaces do I use to block unwanted traffic from the internet.- ed1 or tun0? How do I configure the tun0 interface for the firewall since I do not know the interface address before hand? Secondly which interface do I place natd? If anyone has configured adsl with dynamic ip address assigned to tun0 I will like to have some info about how it was configured with ipfw. regds ed -- email: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"