Firewall/masquerading setup with ipfwadm - looking for help

Thomas Ribbrock \(Design/DEG\) Wed, 12 Jan 2000 07:54:23 -0800
Hi folks,

(Warning: Lengthy!)

ok, I tried to solve this withthe IP Masquerading HOWTO and the Firewall
HOWTO but I suspect I'm missing something fundamental here. The whole
firewall thing is new to me so be gentle... :-}

The situation: I'm trying to setup a dedicated
dial-up/masquerading/firewall machine for my small home network.

The machine runs Red Hat Linux 5.2 with kernel 2.0.38 and all relevant
updates. I have chronyd[0] running to keep the time and I have
mserver[1] running to initiate the PPP connection remotely. The machine
itself has neither telnet, nor rlogin, nor ftp, nor nfs - only remote access
is via ssh. It also runs a POP3 daemon to enable the other two machines
(well - the users...) to get to their mail. I also have portsentry and
logcheck running, the latter being the only program which uses the local
sendmail. The other two machines send mail directly to my ISP's mailserver.
All unnecesary services are commented out in /etc/inetd.conf.

I was able to get masquerading running and I'm now into the final step:
Setting up the firewall.

As a base, I decided to use the "Stronger IP Firewall (IPFWADM)
Rulesets" as given in section 6.4 [2] of the IP Masquerading HOWTO. The
resulting script is run by /etc/ppp/ip-up each time the PPP link is
initiated, as I have a dynamic IP. I've modified the script so that it
expects it's first and only argument to be the current IP address, which
ip-up supplies.

I got this script running and working fine. I also added some accounting
rules to enable mserver to calculate throughput data:

# Accounting                                                                    
/sbin/ipfwadm -A -f                                                             
/sbin/ipfwadm -A in -i -W ppp0                                                  
/sbin/ipfwadm -A out -i -W ppp0                                                 

Also working fine.


However, the original script only checks for IP spoofing, but leaves the
machine as such "open", i.e. you can still connect to any port from any
remote machine. This is not quite what I had in mind... I'd rather only
open up all ports I need to the rest of the world, which would be:

http (outgoing - I have no server running), ftp (outgoing), mail/smtp
(outgoing - connection to ISP's mailserver), news/nntp (outgoing, i.e.
connection to my ISP's newsserver), icq and ntp (chrony, outgoing only,
i.e. I want chrony to be able to connect to my ISP's ntp servers).
Oh - and DNS, I suppose, so I'm able to connect to my ISP's nameservers
(I have no DNS setup myself - just host files).

To achieve this, I was trying this approach:


#!/bin/sh
#
# /etc/rc.d/rc.firewall: An example of a semi-STRONG IPFWADM firewall ruleset
#
[...]
# first argument is out IP address
ppp_ip=$1

[...]
# MASQ timeouts
/sbin/ipfwadm -M -s 7200 10 60

# Incoming
#
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p reject

/sbin/ipfwadm -I -a accept -V 192.168.1.3 -S 192.168.1.0/24 -D 0.0.0.0/0

/sbin/ipfwadm -I -a reject -V $ppp_ip -S 192.168.1.0/24 -D 0.0.0.0/0 -o


# port 80: HTTP
#
/sbin/ipfwadm -I -a accept -V $ppp_ip -P tcp -S 0.0.0.0/0 -D $ppp_ip/32 80

# port 22: ssh
#
/sbin/ipfwadm -I -a accept -V $ppp_ip -P tcp -S 0.0.0.0/0 -D $ppp_ip/32 22

/sbin/ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0

# catch all rule, all other incoming is denied and logged.
/sbin/ipfwadm -I -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o


# Outgoing
#
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p reject

/sbin/ipfwadm -O -a accept -V 192.168.1.3 -S 0.0.0.0/0 -D 192.168.1.0/24

/sbin/ipfwadm -O -a reject -V $ppp_ip -S 192.168.1.0/24 -D 0.0.0.0/0 -o

/sbin/ipfwadm -O -a reject -V $ppp_ip -S 0.0.0.0/0 -D 192.168.1.0/24 -o


# port 25: Outgoing mail, valid
#
/sbin/ipfwadm -O -a accept -V $ppp_ip -P tcp -S $ppp_ip/32 25 -D 0.0.0.0/0 1024:65535

# port 53: DNS, valid (SEE BELOW!)
#
/sbin/ipfwadm -O -a accept -W ppp0 -P udp -S $ppp_ip/24 -D 0.0.0.0/0 53

# port 80: Outgoing HTTP, valid
#
/sbin/ipfwadm -O -a accept -V $ppp_ip -P tcp -S $ppp_ip/32 25 -D 0.0.0.0/0 1024:65535

# port 110: Outgoing POP3, valid
#
/sbin/ipfwadm -O -a accept -V $ppp_ip -P tcp -S $ppp_ip/32 110 -D 0.0.0.0/0

# port 119: Outgoing NNTP, valid
#
/sbin/ipfwadm -O -a accept -V $ppp_ip -P tcp -S $ppp_ip/32 119 -D 0.0.0.0/0

# port 123: NTP, valid
#
/sbin/ipfwadm -O -a accept -V $ppp_ip -P udp -S 0.0.0.0/0 123 -D $ppp_ip/32


/sbin/ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0

# catch all rule, all other outgoing is denied and logged.
#
/sbin/ipfwadm -O -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o


# Forwarding
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p reject

# Masquerade from local net on local interface to anywhere.
#
/sbin/ipfwadm -F -a masquerade -W ppp0 -S 192.168.1.0/24 -D 0.0.0.0/0

# catch all rule, all other forwarding is denied and logged.
#
/sbin/ipfwadm -F -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o


# Accounting
/sbin/ipfwadm -A -f
/sbin/ipfwadm -A in -i -W ppp0
/sbin/ipfwadm -A out -i -W ppp0


The main problem I currently have is DNS.
On first try, I didn't have any rule for DNS in my script, which
resulted in error messages like this in /var/log/messages:

Jan 11 03:20:46 esme kernel: IP fw-out rej ppp0 UDP DYNAMIC_IP_ADDR:1307        
ISP_NAMESERVER:53 L=65 S=0x00 I=8194 F=0x0000 T=64

Now, my interpretation was that packages trying to get out from my
address port 1xxx to the ISP nameserver port 53 simply don't get
through. Hence, I tried this

/sbin/ipfwadm -O -a accept -W ppp0 -P udp -S $ppp_ip/24 -D 0.0.0.0/0 53

The problem is: As soon as I added this rule to the Outgoing rules (as
listed in the script above), the whole firewall "collapsed" - I got
"rej" error messages for fw_in and fw_out all over the place, nothing
would work anymore - never mind DNS. Also, "ipfwadm -O -l" didn't list
anything anymore but got simply stuck and kept sitting there with no
output other than the default policy until I pressed Ctrl-C. Same with
"ipfwadm -I -l" and "ipfwadm -F -l".

The question is: How can I resolve this? What's the correct way to
"open" the firewall for DNS requests to the outside? I was trying all
sorts of things but couldn't get it to work... And why does that single
rule disturb the whole firewall? I have the suspicion it's something
fundamental and maybe even obvious - but not to me right now... :-(
Unfortunately, a search in the archives also didn't come up with
anything. Hence, I'd appreciate it if you could help me out here.


Thanks in advance and thanks for taking the time to read all this,

Thomas

[0] Chrony can be found at: http://www.rrbcurnow.freeserve.co.uk/chrony/
[1] mserver "  "    "    ": http://w3.cpwright.com/mserver/
[2] see: http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-6.html#ss6.4
-- 
             "Look, Ma, no obsolete quotes and plain text only!"

     Thomas Ribbrock | http://www.bigfoot.com/~kaytan | ICQ#: 15839919
   "You have to live on the edge of reality - to make your dreams come true!"


-- 
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
Firewall/masquerading setup with ipfwadm - looking for help

Reply via email to
