Thread: My first Gateway and LAN having issues
View Single Post
  #2   (View Single Post)  
Old 28th June 2010
sharris sharris is offline
Package Pilot
  
Join Date: Jun 2010
Posts: 146
Default
checklist

I just pin-pointed for sure that GATEWAY cannot ping WWW by name when pf_enabled ="YES" (and nothing else pf)

Also I re-installed Windows-XP, I uninstall the firewall, Windows update and such. I updated the TCP/IP setting to same as listed above. I plug into the Netgear switch and to my surprise the Gateway can now ping the client. But client situation has not change. The client can ping Gateway but not the WWW. I'm beginning to believe this is normal. I am really new at this. Hands-on is differences than reading a pack of documentation and difference ideas all over the INTERNET and never remembering much because you never had the chance to try, and when you do, half the stuff don't work for your setup or machine anyway.

Now I think it's the pf rules that is holding me back. I found these examples on the net and like them so much because it has lots of stuff to learn from.

I need some experienced people to comment out or add what is needed for my small LAN which consist of one FreeBSD gateway, one XP machine for surfing the INTERNET and one FreeBSD/Arch-Linux machine for building routers and firewalls and such (more on the learning side)and maybe a one more machine running a webserver for practice.

Here is the rule set.
May I ask that I would like it Stealth ready, but not Stealth enabled. The first half is difference but I save it to be included with-in the bottom half if possible. Could some of you guys make changes and post a few comments on why it should be use. If it end with only 3 rules that works, I'll still be happy. I saved more than a dozen of pf examples but I never knew what to do with them. It been hard enough just learning FreeBSD and Arch-Linux command-line mode. I been working at it all day and night and I don't have it correct yet. How do you guys do it?

Thanks again

Hope someone who know-how come to read all of this. It's kind of lonely down here in the networking department. I may have to change my career plans.



Code:
###   Stealthed Example:

###   ext_if  = "fxp0"
###   int_if  = "dc0"
###   lan_net = "192.168.0.0/24"

 # Code:  blocking ICMP completely stealthed to attackers
 # ICMP 
 # pass out/in certain ICMP queries and keep state (ping) 
 # state matching is done on host addresses and ICMP id (not type/code), 
 # so replies (like 0/0 for 8/0) will match queries 
 # ICMP error messages (which always refer to a TCP/UDP packet) are 
 # handled by the TCP/UDP states 
#####  pass out on $ext inet proto icmp all icmp-type echoreq code 0 keep state 
#####  pass in on $ext inet proto icmp all icmp-type echoreq code 0 keep state 
 
# UDP 
 # pass out all UDP connections and keep state 
#######  pass out on $ext proto udp all keep state 
 
# pass in certain UDP connections and keep state (DNS) 
 ##pass in on $ext proto udp from any to any port $udp_in keep state 
 
# TCP 
 # pass out all TCP connections and modulate state 
#######   pass out on $ext proto tcp all modulate state


## Or

#######  block in all
#######  block return-icmp in on $ext_if from any to $ext_ad port auth quick
#######  pass in on $ext_if from any to $ext_ad port smtp quick
Code:
################################################################ 
# define defaults and macros
################################################################# 

oif = "re0"           # macro name for the NIC facing the public internet

lif = "re1"           # for NIC facing Local area network if you have one

dns1 = "{69.22.11.5, 69.22.11.6.}" # my ISP's Domain name server IP address
dhcp = "69.22.11.7"                # my ISP's DHCP server IP address

ob_state = "flags S/SA modulate state"     # outbound

ib_state = "flags S/SA synproxy state"     # inbound

################################################################# 
# define run time global defaults
################################################################# 

set block-policy drop       # Sets the default block behavior to
                            # packet is silently dropped

set state-policy if-bound   # states are bound to the interface 
                            # they're created on

set loginterface $oif       # gather statistics on this interface

scrub out on $oif all random-id 
scrub reassemble tcp 

################################################################# 
# define Nat if you have LAN
################################################################# 

#nat on $oif from $lif to any -> ($oif)

#nat on $oif from 10.0.10.0/29 to any -> ($oif)

#pass quick on $lif all         # No restrictions on LAN Interface

pass quick on lo0 all           # No restrictions on Loopback Interface

#######################################################################
# Interface facing Public Internet (Outbound Section) 
# Interrogate session start requests originating from behind the 
# firewall on the private network 
# or from this gateway server destined for the public Internet.
#######################################################################

# Allow out access to my ISP's Domain name server.
# $dsn1 must be the IP address of your ISP s DNS.
# Get the IP addresses from /etc/resolv.conf file
pass out quick on $oif proto tcp from any to $dns1 port 53 $ob_state
pass out quick on $oif proto udp from any to $dns1 port 53 keep state

# Allow out access to my ISP's DHCP server for cable or DSL networks.
# This rule is not needed for  user ppp  type connection to the 
# public Internet, so you can delete this whole group.
pass out quick on $oif proto udp from any to $dhcp port 67 keep state

# Allow out non-secure standard www function
pass out quick on $oif proto tcp from any to any port 80 $ob_state

# Allow out secure www function https over TLS SSL
pass out quick on $oif proto tcp from any to any port 443 $ob_state

# Allow out send $ get email function
# pass out quick on $oif proto tcp from any to any port 110 $ob_state
# pass out quick on $oif proto tcp from any to any port 25 $ob_state

# Allow out Time
# pass out quick on $oif proto tcp from any to any port 37 $ob_state

# Allow out nntp news
# pass out quick on $oif proto tcp from any to any port 119 $ob_state


# Allow out secure FTP, Telnet, and SCP 
# This function is using SSH (secure shell)
pass out quick on $oif proto tcp from any to any port 22 $ob_state

# Allow out non-secure Telnet (ID/PW passed as clear text)
pass out quick on $oif proto tcp from any to any port 23 $ob_state

# Allow out FBSD CVSUP function 
pass out quick on $oif proto tcp from any to any port 5999 $ob_state

# Allow out ping to public Internet
pass out quick on $oif inet proto icmp from any to any icmp-type 8 keep state

# Allow out whois PC to public Internet
pass out quick on $oif proto tcp from any to any port 43 $ob_state

# Allow out non-secure (ID/PW passed as clear text)
# active FTP in responce to remote FTP client
pass out quick on $oif proto tcp from any port 20 to any $ob_state

# Allow out non-secure (ID/PW passed as clear text)
# active FTP for gateway & LAN users 
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
# pass out quick on $oif proto tcp from any to any port 21 $ob_state

# Block and log everything that s trying to get out.
# This rule enforces the block all by default logic. 
block out log quick on $oif all

#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################

# Block all inbound traffic from non-routable or reserved address spaces
block in quick on $oif from 192.168.0.0/16 to any  #RFC 1918 private IP
block in quick on $oif from 172.16.0.0/12 to any   #RFC 1918 private IP
block in quick on $oif from 10.0.0.0/8 to any      #RFC 1918 private IP

block in quick on $oif from 127.0.0.0/8 to any     #loopback
block in quick on $oif from 0.0.0.0/8 to any       #loopback

block in quick on $oif from 169.254.0.0/16 to any  #DHCP auto-config
block in quick on $oif from 192.0.2.0/24 to any    #reserved for doc's

block in quick on $oif from 204.152.64.0/23 to any #Sun cluster connect

block in quick on $oif from 224.0.0.0/3 to any     #Class D $ E multicast


# Block public pings 
block in quick on $oif inet proto icmp all icmp-type 8

# Block ident 
block in quick on $oif proto tcp from any to any port 113

# Block all Netbios service. 137=name, 138=datagram, 139=session 
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log quick on $oif proto tcp from any to any port 137
block in log quick on $oif proto udp from any to any port 137
block in log quick on $oif proto tcp from any to any port 138
block in log quick on $oif proto udp from any to any port 138
block in log quick on $oif proto tcp from any to any port 139
block in log quick on $oif proto udp from any to any port 139
block in log quick on $oif proto tcp from any to any port 81
block in log quick on $oif proto udp from any to any port 81

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only 
# authorized source to send this packet type. Only necessary for 
# cable or DSL configurations. This rule is not needed for
# user ppp  type connection to the public Internet.
# This is the same IP address you 
# used in the outbound section.
pass in quick on $oif proto udp from $dhcp to any port 68 keep state

# Allow in standard www function because I have apache server
pass in quick on $oif proto tcp from any to any port 80 $ib_state

# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on $oif proto tcp from any to any port 22 $ib_state

# Allow in non-secure Telnet session from public Internet labeled
# non-secure because ID/PW passed over public Internet as clear text.
# Delete this sample rule if you do not have telnet server enabled.
#pass in quick on $oif proto tcp from any to any port 23 $ib_state

# Allow in non-secure (ID/PW passed as clear text)
# active FTP from remote client
pass in quick on $oif proto tcp from any to any port 21 $ib_state

# Allow in non-secure (ID/PW passed as clear text)
# responce to active FTP for gateway & LAN users
pass in quick on dc0 proto tcp from any port 20 to any $ib_state

# Block and log all remaining traffic coming into the firewall.
# This rule enforces the block all by default logic.
block in log quick on $oif all
################### End of rules file ##############################
Reply With Quote