IPFW Give Internet access to the lan

Logicien

Logicien

Hello BSD users,

the title is surely ever seen. I put FreeBSD on my main computer. Mostly good, I succeeded to protect my gateway with Ipfw. All ports are close and steal. My gateway communicate perfectly with my lan and all others between them. I use Hostapd, Dnsmasq and Samba plus Vsftpd. I have a problem. My lan cannot access to Internet. With my actual Ipfw rules I feel very well protected but only the gateway can access to Internet.

I troncated the Workstation rules but try to add the Open rules result to unsteal my ports. I want to be dead on Internet. I have been acked one time because I reversed the Ethernet cables of two cards. I dont want to repeat that. I show you my actual rules taked from rc.conf. If you can tell me what I must change to give access to Internet to my lan and keep 100% protected well, I'll be happy.
Code: 
# Firewall
# firewall_allowservices=""
firewall_enable="YES"
firewall_logdeny="YES"
firewall_logging="YES"
# firewall_myservices=""
firewall_nat_enable="YES"
firewall_nat_interface="eth0"
firewall_quiet="YES"
firewall_script="/etc/paul.conf"
firewall_trusted="192.168.xxx.xxx/24 192.168.xxx.xxx/24 192.168.xxx.xxx/24"
# firewall_type="open"
gateway_enable="YES"
ipnat_enable="NO"
natd_enable="NO"
natd_interface="eth0"
 
I was forgetting
Code: 
cat /mnt/bsd/etc/paul.conf
ipfw -q add 00100 allow ip from any to any via lo0
ipfw -q add 00200 check-state :default
ipfw -q add 00300 allow tcp from me to any established
ipfw -q add 00400 allow tcp from me to any setup keep-state :default
ipfw -q add 00500 allow udp from me to any keep-state :default
ipfw -q add 00600 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
ipfw -q add 00700 allow udp from any 67 to me 68 in
ipfw -q add 00800 allow udp from any 67 to 255.255.255.255 68 in
ipfw -q add 00900 allow udp from fe80::/10 to me 546 in
ipfw -q add 01000 allow ip from 192.168.xxx.xxx/24 to me
ipfw -q add 01100 allow ip from 192.168.xxx.xxx/24 to me
ipfw -q add 01200 count ip from any to any
ipfw -q add 01300 allow log icmp from me to any
ipfw -q add 01400 allow log icmp from 192.168.xxx.xxx/24 to me via eth1
ipfw -q add 01500 allow log icmp from 192.168.xxx.xxx/24 to me via wlan0
 
Code: 
[LAN] --- [Your FreeBSD computer, 2 NICs] --- [Internet/Gateway]

I think that is what you are describing. You need to enable forwarding, and firewall rules to suit. I have not done this with FreeBSD so I cannot help, but this might help other people tell you what you need.
 
This is similar to "Internet Connection Sharing" on Windows and works via NAT (Network Address Translation). The handbook is in a bit of a mess these days but I found a link to an older release.

https://docs.freebsd.org/doc/6.1-RELEASE/usr/share/doc/handbook/network-natd.html
https://docs.freebsd.org/doc/7.4-RELEASE/usr/share/doc/handbook/network-natd.html

This should be a fairly decent guide to get you started. That said, it looks like you are pretty much there already.

For some extra protection, have you considered only running a SOCKS or HTTP proxy on your FreeBSD gateway? I tend to do this in front of Windows or macOS machines because they can't be trusted with a full internet access. Check out SSHd to make a simple socks proxy, Squid or tinyproxy for a http proxy.

Perhaps also check out https://download.freebsd.org/doc/en/books/handbook/handbook_en.pdf on page 793.
 
I'm surprised information for this would need to be pulled from such old docs. Aren't the PFSense guys doing this all the time?
 
Yes and pf has a different syntax.
nat on $ext_if from $localnet to any -> ($ext_if)
Click to expand...
I would get NAT working first then add on rules. Dont try do too much at a time. makes it easier to back out.
 
Hello,
if I use the open rules of Ipfw all the lan can access to Internet at the price of having many ports open on Internet. So, I keep my personnal rules who protect me well against open ports probe and pings from the wan. I turn myself to Squid who give access to Internet to the lan and do not touch the stealed ports of my Ipfw rules. Thank's for the hints kpedersen.
 
You must log in or register to reply here.
Back
Top