Alexco
Well-Known Member
Hallo ihr alle!
Ich versuche immer noch mein FreeBSD 5.1-CURRENT zu verstehen, und nun bastel ich am PPP und am IPFW rum. Da ich keine Lust habe, dass irgendwelche Esel/Bittorrent/Kazaa - Pakete meine DSL Verbindung aufrecht erhalten habe ich mich mit den Filtern des PPP beschäftigt:
set filter alive 0 deny 0/0 0/0 # alles was von aussen kommt
sollte erst mal dafür reichen. Damit nicht alles rauswählt hab ich das auch angesetzt:
set filter dial 0 deny udp src eq 513 # rwhod
set filter dial 1 deny udp src eq 525 # timed
set filter dial 2 deny udp src eq 137 # NetBIOS name service
set filter dial 3 deny udp src eq 138 # NetBIOS datagram service
set filter dial 4 deny tcp src eq 139 # NetBIOS session service
set filter dial 5 deny udp dst eq 137 # NetBIOS name service
set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service
set filter dial 7 deny tcp dst eq 139 # NetBIOS session service
set filter dial 8 deny tcp finrst # Badly closed TCP channels
set filter dial 9 permit 0 0
Dies stammt so fast 1:1 aus den PPP Beispielen.
Nun hab ich die ipfw Regeln aus den Beispielen etwas umgestrickt:
#!/bin/sh
#
# Mach "Quiet"
fwcmd="/sbin/ipfw -q"
# Erstmal alles saubermachen bevor wir anfangen
${fwcmd} -f flush
# Das setzen unserer eigenen Variabeln
int_if1="fxp0" # Internes Interface
int_if2="rl0" # Internes Interface (WLAN)
out_if1="tun0" # Externes Interface
nat_if1="tun0" # Externes Interface fuer NAT
open_tcp="20, 21, 22, 113" # Offene Ports fuer tcp
open_udp="20, 21" # Offene Ports fuer udp
int_net1="192.168.6.0/24"
int_msk1="255.255.255.0"
# Setup Loopback
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
# Stop spoofing
${fwcmd} add deny ip from any to any not verrevpath in
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${out_if1}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${out_if1}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${out_if1}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${out_if1}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${out_if1}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${out_if1}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${out_if1}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${out_if1}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via ${nat_if1}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${out_if1}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${out_if1}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${out_if1}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${out_if1}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${out_if1}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${out_if1}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${out_if1}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${out_if1}
# Allow ip
${fwcmd} add allow all from any to any via ${int_if1}
${fwcmd} add allow all from any to any via ${int_if2}
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow access to specified services
${fwcmd} add pass tcp from any to any ${open_tcp} in via ${out_if1} setup
${fwcmd} add pass udp from any to any ${open_tcp} in via ${out_if1} setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${out_if1} setup
# Allow setup of any other TCP connection
${fwcmd} add check-state
${fwcmd} add deny tcp from any to any established
${fwcmd} add allow tcp from any to any setup keep-state
# Allow DNS queries out in the world
${fwcmd} add pass udp from any to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from any to any 123 keep-state
# Allow ping
${fwcmd} add pass icmp from any to any
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
Wie gesagt, alles aus den Beispielen. Versteht hier jemand eigentlich den Kommentar über den NATD? Warum muss er zwischen den (gleichen) Regelblöcken stehen?
Wenn ich nun den ppp starte mit: ppp -quiet -auto tonline, dann
wählt er sich sofort ein (warum eigentlich??) Da nix passiert, legt er irgendwann auf. Wenn ich nun ein: nslookup www.bsdforen.de absetze, kommt sofort von meinem lokal laufendem named ein server error, dass er die Adresse nicht auflösen konnte. Meine Frage nun ... warum?? Der PPP versucht ja nicht einmal sich einzuwählen, der DNS-Request wird sofort abgeblockt. Wo hab ich wieder Mist gemacht??
Gruss,
Alex
P.S. Ein Scan meiner Firewall mittels www.grc.com läuft eigentlich so, wie ichs wollte, also scheint das ja fast o.k. zu sein... Irgendwann sollte sich der Seti@home einfach immer einwählen dürfen, wenn er fertig ist aber das klappt auch nicht so richtig..
Ich versuche immer noch mein FreeBSD 5.1-CURRENT zu verstehen, und nun bastel ich am PPP und am IPFW rum. Da ich keine Lust habe, dass irgendwelche Esel/Bittorrent/Kazaa - Pakete meine DSL Verbindung aufrecht erhalten habe ich mich mit den Filtern des PPP beschäftigt:
set filter alive 0 deny 0/0 0/0 # alles was von aussen kommt
sollte erst mal dafür reichen. Damit nicht alles rauswählt hab ich das auch angesetzt:
set filter dial 0 deny udp src eq 513 # rwhod
set filter dial 1 deny udp src eq 525 # timed
set filter dial 2 deny udp src eq 137 # NetBIOS name service
set filter dial 3 deny udp src eq 138 # NetBIOS datagram service
set filter dial 4 deny tcp src eq 139 # NetBIOS session service
set filter dial 5 deny udp dst eq 137 # NetBIOS name service
set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service
set filter dial 7 deny tcp dst eq 139 # NetBIOS session service
set filter dial 8 deny tcp finrst # Badly closed TCP channels
set filter dial 9 permit 0 0
Dies stammt so fast 1:1 aus den PPP Beispielen.
Nun hab ich die ipfw Regeln aus den Beispielen etwas umgestrickt:
#!/bin/sh
#
# Mach "Quiet"
fwcmd="/sbin/ipfw -q"
# Erstmal alles saubermachen bevor wir anfangen
${fwcmd} -f flush
# Das setzen unserer eigenen Variabeln
int_if1="fxp0" # Internes Interface
int_if2="rl0" # Internes Interface (WLAN)
out_if1="tun0" # Externes Interface
nat_if1="tun0" # Externes Interface fuer NAT
open_tcp="20, 21, 22, 113" # Offene Ports fuer tcp
open_udp="20, 21" # Offene Ports fuer udp
int_net1="192.168.6.0/24"
int_msk1="255.255.255.0"
# Setup Loopback
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
# Stop spoofing
${fwcmd} add deny ip from any to any not verrevpath in
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${out_if1}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${out_if1}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${out_if1}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${out_if1}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${out_if1}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${out_if1}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${out_if1}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${out_if1}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via ${nat_if1}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${out_if1}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${out_if1}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${out_if1}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${out_if1}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${out_if1}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${out_if1}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${out_if1}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${out_if1}
# Allow ip
${fwcmd} add allow all from any to any via ${int_if1}
${fwcmd} add allow all from any to any via ${int_if2}
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow access to specified services
${fwcmd} add pass tcp from any to any ${open_tcp} in via ${out_if1} setup
${fwcmd} add pass udp from any to any ${open_tcp} in via ${out_if1} setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${out_if1} setup
# Allow setup of any other TCP connection
${fwcmd} add check-state
${fwcmd} add deny tcp from any to any established
${fwcmd} add allow tcp from any to any setup keep-state
# Allow DNS queries out in the world
${fwcmd} add pass udp from any to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from any to any 123 keep-state
# Allow ping
${fwcmd} add pass icmp from any to any
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
Wie gesagt, alles aus den Beispielen. Versteht hier jemand eigentlich den Kommentar über den NATD? Warum muss er zwischen den (gleichen) Regelblöcken stehen?
Wenn ich nun den ppp starte mit: ppp -quiet -auto tonline, dann
wählt er sich sofort ein (warum eigentlich??) Da nix passiert, legt er irgendwann auf. Wenn ich nun ein: nslookup www.bsdforen.de absetze, kommt sofort von meinem lokal laufendem named ein server error, dass er die Adresse nicht auflösen konnte. Meine Frage nun ... warum?? Der PPP versucht ja nicht einmal sich einzuwählen, der DNS-Request wird sofort abgeblockt. Wo hab ich wieder Mist gemacht??
Gruss,
Alex
P.S. Ein Scan meiner Firewall mittels www.grc.com läuft eigentlich so, wie ichs wollte, also scheint das ja fast o.k. zu sein... Irgendwann sollte sich der Seti@home einfach immer einwählen dürfen, wenn er fertig ist aber das klappt auch nicht so richtig..