Subject: PPPoE/NAT/Firewall/timed
To: None <port-mac68k@netbsd.org>
From: RAParker <RAParker@Quadzilla.NET>
List: port-mac68k
Date: 02/14/2003 09:31:30
I've finally progressed to the point of having my 840av act as a NAT
router/ firewall for my home network. I connect to my ISP through PPPoE.
Other info and configurations are below.
What I would like to know: Is it ready? Is the firewall properly
configured?
I'm currently testing my internet connection and so far grc.com's "shields
up/probe my ports" shows all ports closed (firewall properly blocks &
logs). I can stealth the ports by commenting out the last lines of my
firewall "block return-" and not returning errors like a good router.
Is it a good idea to stealth the ports and not return errors?
So far, I'm only seeing one minor and one major problem:
-->a) Dsleports.com speed test. Download speed is accurate but the upload
test seems to fail with ipmon reporting the following entry in the log:
12/02/2003 09:39:01.568661 ae0 @0:2 b 192.168.0.1 -> 192.168.0.120 PR icmp
len 20 56 icmp unreach/needfrag for 192.168.0.120,50325 - 66.59.236.20,80
PR tcp len 20 1500 OUT
I would imagine that has something to do with using the "keep frags" option
or not having it properly set.
-->b) I'm running timed on the 840av (firewall) with my Compaq Proliant
850R (OpenBSD running ntpd & timed) set as master. This solution seemed to
have corrected the time skew problem that Macs have under heavy load. At
least until I installed the firewall rules, that is.
timed never finds the master:
Feb 13 11:42:40 FireGate timed[215]: sento 192.168.0.255: No route to host
ipmon -o IS (shows packets being blocked):
13/02/2003 11:42:40.983620 2x ae0 @0:2 b 192.168.0.1,525 ->
192.168.0.255,525 PR udp len 20 296 OUT
13/02/2003 11:42:41.023137 STATE:NEW 64.168.12.12,525 -> 64.168.13.254,525
PR udp
13/02/2003 11:44:03.819348 2x ae0 @200:2 b 192.168.0.220,525 ->
192.168.0.255,525 PR udp len 20 296 IN
I think the STATE:NEW is created when timed tries to locate a master on the
IP#/network assigned by my ISP. I've tried adding a filter or two within
local interface group to pass the packets locally only, but it doesn't seem
to fix the problem (see commented lines in ipf.conf below).
I am still new to BSD but I'm getting a pretty good technical grasp. I've
been following ipfhowto.txt along with /usr/share/examples/ipf/ to get the
following configurations. Your detailed and informative comments will be
well appreciated.
Ron
RAParker
|\/|\
|/-|/
|\ | @ Quadzilla.NET
----------------------------------------------------------------------
OGR-25 <http://stats.distributed.net/ogr-25/psummary.php3?id=30213>
Peak Rate: 2.85220397 Mnodes/sec
Current Ranking: 27745 (+103)
Gnodes Tested: 24,122.157
Time Working: 881 days @ .317 Mnodes/sec
Quadzilla.NET - More processing power than some third world countries.
----------------------------------------------------------------------
----- /etc/rc.conf -----
# $NetBSD: rc.conf,v 1.96 2000/10/14 17:01:29 wiz Exp $
#
# see rc.conf(5) for more information.
#
# Use program=YES to enable program, NO to disable it. program_flags are
# passed to the program on the command line.
#
# Load the defaults in from /etc/defaults/rc.conf (if it's readable).
# These can be overridden below.
#
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
fi
# If this is not set to YES, the system will drop into single-user mode.
#
rc_configured=YES
# Add local overrides below
#
# Security setting. If $securelevel is non-empty, the system securelevel
# is set to this value early in the boot sequence. Otherwise the default
# action is taken (see init(8)).
#
securelevel="2" # securelevel to set to
sshd=YES sshd_flags=""
# Networking startup.
#
# execute up/down scripts for in-kernel PPPoE interfaces
ifwatchd=YES
ifwatchd_flags="-u /etc/ppp/ip-up -d /etc/ppp/ip-down pppoe0"
ipfilter=YES # uses /etc/ipf.conf
ipnat=YES # uses /etc/ipnat.conf
ipfs=YES ipfs_flags="" # save/load ipnat and ipf
states
ipmon=YES ipmon_flags="-ns" # syslog ipfilter messages
# To run the ntpd(8) NTP server as an unprivileged user under a
# chroot(2) cage, uncomment the following, after ensuring that:
# - The kernel has "pseudo-device clockctl" compiled in
# - /dev/clockctl is present
#
ntpdate=YES ntpdate_flags="-b -s -u"# May need '-u' thru
firewall
timed=YES timed_flags="-t"
# inetd is used to start the IP-based services enabled in /etc/inetd.conf
#
inetd=NO inetd_flags="-l" # -l logs libwrap
----- /etc/ifconfig.ae0 -----
inet 192.168.0.1 netmask 0xffffff00
inet 192.168.0.4 netmask 0xffffff00 alias # for SSH on the local interface
----- /etc/ifconfig.pppoe0 -----
create
# Mark up the physical interface used by this PPPoE interface
! /sbin/ifconfig mc0 up
# Let $int use mc0 as its Ethernet interface
! /sbin/pppoectl -e mc0 $int
# Configure authentication
! /sbin/pppoectl $int myauthproto=pap query-dns=3 'myauthname=xxx'
'myauthsecret=yyy' hisauthproto=none
# Configure the PPPoE interface itself. These addresses are magic
# meaning we don't care about either address and let the remote
# ppp choose them.
0.0.0.0 0.0.0.1 up
----- /etc/ppp/ip-up -----
#! /bin/sh
/sbin/route add default $5
/etc/rc.d/ipnat forcestart
/etc/rc.d/timed restart
----- /etc/ppp/ip-down -----
#! /bin/sh
/sbin/route delete default $5
/etc/rc.d/ipnat forcestop
----- /etc/ipf.conf -----
#!/sbin/ipf -f -
#
# SAMPLE: RESTRICTIVE FILTER RULES
#
# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
#
# pppoe0 - (external) PPPoE connection to ISP, address 0/32
#
# ae0 - (internal) network interface, address 192.168.0.1/32
#
# This file contains the basic rules needed to construct a firewall for the
# above situation.
#
#-------------------------------------------------------
# *Nasty* packets we don't want to allow near us at all!
# short packets which are packets fragmented too short to be real.
block in log quick all with short
#-------------------------------------------------------
# Group setup.
# ============
# By default, block and log everything. This maybe too much logging
# (especially for ae0) and needs to be further refined.
#
block in log on pppoe0 all head 100
block in log proto tcp all flags S head 101 group 100
block out log on pppoe0 all head 150
block in log on ae0 from 192.168.0.1/24 to any head 200
block in log proto tcp all flags S head 201 group 200
block in log proto udp all head 202 group 200
block out log on ae0 all head 250
#-------------------------------------------------------
# Localhost packets.
# ==================
# packets going in/out of network interfaces that aren't on the loopback
# interface should *NOT* exist.
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from any to 127.0.0.0/8 group 100
block in log quick from 127.0.0.0/8 to any group 200
block in log quick from any to 127.0.0.0/8 group 200
# And of course, make sure the loopback allows packets to traverse it.
pass in quick on lo0 all
pass out quick on lo0 all
#-------------------------------------------------------
# Invalid Internet packets. (pppoe0 group 100)
# =========================
#
# Deny reserved addresses
#
block in log quick from any to 192.168.0.0/16 group 100
block in log quick from any to 172.16.0.0/12 group 100
block in log quick from any to 10.0.0.0/8 group 100
block in log quick from any to 0.0.0.0/8 group 100
block in log quick from any to 169.254.0.0/16 group 100
block in log quick from any to 192.0.2.0/24 group 100
block in log quick from any to 204.152.64.0/23 group 100
block in log quick from any to 224.0.0.0/3 group 100
block in log quick from any to 20.20.20.0/24 group 100
#-------------------------------------------------------
# Prevent IP spoofing.
#
block in log quick from 0/32 to any group 100
#
#-------------------------------------------------------
# Allow outgoing DNS requests (no named on firewall)
#
pass in quick proto udp from any to any port = 53 keep state group 202
#
# Allow incoming TIMED syncing from master
#pass in quick proto udp from any to 192.168.0.1/32 port = 525 flags S keep
state group 202
#
# Allow outgoing FTP from any internal host to any external FTP server.
#
pass in quick proto tcp from any to any port = ftp keep state group 201
pass in quick proto tcp from any to any port = ftp-data keep state group
201
pass in quick proto tcp from any port = ftp-data to any port > 1023 keep
state group 101
#
# Allow NTP from any internal host to any external NTP server.
#
pass in quick proto udp from any to any port = ntp keep state group 202
#
# Allow any communication between the inside network and the outside only.
#
# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
#
pass in quick proto tcp all flags S/SA keep state keep frags group 200
#
# Allow ping out
#
pass in quick proto icmp all keep state group 200
#
# Allow local machine TCP access for HTTP tunnel only
pass out quick proto tcp from 0/32 to any port = 80 flags S keep state keep
frags group 150
# Allow local machine DNS access
pass out quick proto udp from 0/32 to any port = 53 keep state group 150
# Allow local machine TIMED access to local timeserver
#pass out quick proto udp from 192.168.0.1/32 to 192.168.0.0/16 port = 525
keep state group 202
#
#-------------------------------------------------------
# Support for stealth fastroute on pppoe interface
#block in quick on pppoe0 fastroute proto udp from any to any port 33434 ><
33490 group 150
# Support all UDP `connections' initiated from inside.
# pass actual router packets
pass out quick proto tcp from any to any flags S keep state keep frags
group 150
pass out proto udp from any to any keep state group 150
#
# Log these (commented out for stealth):
# ==========
# * return RST packets for invalid SYN packets to help the other end close
#block return-rst in log proto tcp from any to any flags S/SA group 100
# * return ICMP error packets for invalid UDP packets
#block return-icmp(net-unr) in proto udp all group 100
---- dmesg ---- (just to brag ;-)
[ using 334388 bytes of netbsd ELF symbol table ]
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002
The NetBSD Foundation, Inc. All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
NetBSD 1.6_STABLE (FIREGATE) #2: Thu Jan 30 15:54:33 PST 2003
raparker@FireGate:/usr/src/sys/arch/mac68k/compile/FIREGATE
Apple Macintosh Quadra 840AV (68040)
cpu: delay factor 1280
total memory = 65536 KB
avail memory = 41068 KB
using 4890 buffers containing 19560 KB of memory
mrg: 'Quadra AV ROMs' ROM glue, tracing off, debug off, silent traps
mainbus0 (root)
obio0 at mainbus0
esp0 at obio0: address 0x89f000: NCR53C96, 25MHz, SCSI ID 7
scsibus0 at esp0: 8 targets, 8 luns per target
adb0 at obio0
intvid0 at obio0 @ 50100800: CIVIC video subsystem
intvid0: 640 x 480, monochrome
macfb0 at intvid0
wsdisplay0 at macfb0 (kbdmux ignored): console (std, vt100 emulation)
mc0 at obio0: address 08:00:07:1c:0a:01
zsc0 at obio0 chip type 0
zsc0 channel 0: d_speed 9600 DCD clk 0 CTS clk 0
zstty0 at zsc0 channel 0
zsc0 channel 1: d_speed 9600 DCD clk 0 CTS clk 0
zstty1 at zsc0 channel 1
nubus0 at mainbus0
ae0 at nubus0 slot d: Farallon EtherWave Nubus, 64KB memory
ae0: Ethernet address 00:00:c5:30:11:2c
fpu0 at mainbus0 (mc68040)
scsibus0: waiting 2 seconds for devices to settle...
sd0 at scsibus0 target 0 lun 0: <COMPAQ, ST12550N, 3223> SCSI2 0/direct
fixed
sd0: 2006 MB, 2708 cyl, 19 head, 79 sec, 512 bytes/sect x 4110000 sectors
sd0: async, 8-bit transfers, tagged queueing
sd1 at scsibus0 target 1 lun 0: <COMPAQ, ST12550N, 3223> SCSI2 0/direct
fixed
sd1: 2006 MB, 2708 cyl, 19 head, 79 sec, 512 bytes/sect x 4110000 sectors
sd1: async, 8-bit transfers, tagged queueing
cd0 at scsibus0 target 3 lun 0: <MATSHITA, CD-ROM CR-8004, 1.1f> SCSI2
5/cdrom removable
cd0: async, 8-bit transfers
adb0 (direct, Cuda): 2 targets
aed0 at adb0 addr 0: ADB Event device
akbd0 at adb0 addr 2: extended keyboard
wskbd0 at akbd0 (mux ignored): console keyboard, using wsdisplay0
ams0 at adb0 addr 3: EMP mouse <KOIT> 1-button, 200 dpi
wsmouse0 at ams0 (mux ignored)
boot device: sd0
root on sd0a dumps on sd0b
root file system type: ffs
IP Filter: v3.4.29 initialized. Default = pass all, Logging = enabled
----------------------------------------------------------------------