Firewall Rules

Support section for FREESCO v0.4.x

Postby rhzb66 » Tue Jan 13, 2009 4:55 pm

Hi All,
Till now I run FreeSCO 0.3.4 with successful but plan to move to 0.40 version soon.
My FreeSCO works like internet access router for 4 separated LANs.

LAN1 = 192.168.1.0
LAN2 = 192.168.2.0
LAN3 = 192.168.3.0
LAN4 = 192.168.4.0

I would like to do some changes in the configuration to allow access from Internet from specific IP address to the internal specific IP address and ports.
e.g.
1. From external IP address 1.2.3.4 only to internal LAN1 IP address 192.168.1.10 using ports 1433, 5900.
2. From external IP address 2.3.4.5 only to internal LAN2 IP address 192.168.1.20 using ports 6502, 3389, 5900.
I will be very grateful for any suggestion, help and examples.
User avatar
rhzb66
Newbie
 
Posts: 6
Joined: Mon Mar 06, 2006 6:11 am

Postby dilberts_left_nut » Tue Jan 13, 2009 7:42 pm

For a start, an external port can only be forwarded to ONE internal IP address, so you cannot port-forward external:5900 to the two internal machines.
You can, however forward external:5900 to 192.168.1.10:5900 and external:5901 to 192.168.1.20:5900 (or whatever combination of external port numbers you like)

As for restricting access to only one external IP address, you should add some ipfwadm firewall rules to the firewall section of rc_user. Some good info on ipfwadm is available on <a href='http://www.troutman.org/tech/linux_guides/firewall.html' target='_blank'>this page</a>.
Note that the "allow" rule for the specified IP address needs to be triggered before any general deny rules.
User avatar
dilberts_left_nut
Member
 
Posts: 71
Joined: Thu Sep 02, 2004 8:25 am
Location: Christchurch, NZ

Postby rhzb66 » Mon Jan 26, 2009 7:36 am

and what about files such as:
-- cat /etc/portfw.cfg --
-- cat /etc/restrict.cfg --

I use FreeSCO 0.3.4 version and my rc_user looks like this one:
Please some example.

#!/bin/sh
case "$1" in
boot) # Setup devices.
;;
start) echo -n "Starting rc_user... "
=
;;
stop) echo -n "Stopping rc_user... "
=
;;
restart) rc_user stop; rc_user start
;;
firewall) # ipfwadm -I -i deny -P tcp -W $INET -D 0/0 22 -o
;;
newip) # Execute commands when the router gets a new external IP
;;
status)
;;
esac
User avatar
rhzb66
Newbie
 
Posts: 6
Joined: Mon Mar 06, 2006 6:11 am

Postby Lightning » Mon Jan 26, 2009 10:26 pm

I use FreeSCO 0.3.4 version

There may be some confusion here. If you are using ANY 0.3.x version of FREESCO then you should make your posts in the 0.3.x support section. The reason for this is because the built in commands and how to do things are different for different versions of FREESCO. In your specific case the use of ipfwadm commands is all the same. But the rest of the system is designed quite a bit different and there are more options available in later versions.

As for your original question, you need to be VERY specific on exactly what IP addresses and ports you want to allow from each internal client and exactly what external IP addresses they can access. With that information I can probably give you the specific ipfwadm command lines you need to add and how to do it.

I would also like to point out that there are a LOT of newer versions of FREESCO available since 0.3.4

As a side note please do NOT spell FREESCO as "FreeSCO". We have absolutely nothing to do with any SCO system, FREESCO or Freesco are both fine.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 3047
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Postby rhzb66 » Tue Jan 27, 2009 3:18 am

Hi Lightning,
Very sorry to place this question to the FREESCO 0.4.x section instead of 0.3.x support section, it was my mistake. Next time I will be drawn more attention to this, but let me finished this topic here.

I want to access internal PCs from the Internet for only this IP addresses like bellow. As I mentioned before my FREESCO has four subnets.
e.g.
217.153.10.10 access only 192.168.1.10 on port 5900
217.153.10.11 access only 192.168.1.10 on port 5900
217.153.10.19 access only 192.168.1.10 on port 6502

153.20.19.210 access only 192.168.2.10 on port 5900
153.20.19.110 access only 192.168.3.10 on port 5900


When I did it on port forwarding. I can only forward one port to one system.
So If I forward port 5900 to 192.168.1.10, I can not forward the same port to another IP.

I tried to insert some rules in the firewall section of rc_user but after restart lack of expected results. So, please help me. Thanks advanced.
User avatar
rhzb66
Newbie
 
Posts: 6
Joined: Mon Mar 06, 2006 6:11 am

Postby Lightning » Tue Jan 27, 2009 3:57 am

Unfortunately what youi are asking is not possible. You can only forward one external port to one internal IP address. However you can use different external ports to the same port internally to different IP addresses. So what you show as
217.153.10.10 access only 192.168.1.10 on port 5900
217.153.10.11 access only 192.168.2.10 on port 5900

Could be done by using external port 5900 to internal port 5900 to machine 192.168.1.10 and then another forward on external port 5901 to internal port 5900 to IP 192.168.2.10 and then external port 5902 to internal port 5900 to 192.168.3.10

This can be done with port forwarding like
edit /etc/portfw.cfg
Code: Select all
tcp,5900,5900,192.168.1.10
tcp,6502,6502,192.168.1.10
tcp,5901,5900,192.168.2.10
tcp,5902,5900,192.168.3.10

cp /etc/portfw.cfg  /boot/etc/
rc_pfwd restart


As for blocking access to or from specific IP addresses that is just a matter of adding some firewall rules into the rc_user file like:
edit  /rc/rc_user
Code: Select all
firewall)
   ipfwadm -I -a accept -P tcp -S 217.153.10.10 -D 0/0 5900
   ipfwadm -I -a accept -P tcp -S 217.153.10.11 -D 0/0 5900
   ipfwadm -I -a accept -P tcp -S 217.153.10.19 -D 0/0 6502
   ipfwadm -I -a accept -P tcp -S 153.20.19.210 -D 0/0 5901
   ipfwadm -I -a accept -P tcp -S 153.20.19.110 -D 0/0 5902
   ipfwadm -I -a reject -P tcp -D 0/0 5900
   ipfwadm -I -a reject -P tcp -D 0/0 5901
   ipfwadm -I -a reject -P tcp -D 0/0 5902
   ipfwadm -I -a reject -P tcp -D 0/0 6502
  ;;

rc_masq restart

At this point the only thing that has to be done is to change the access port for the remote client they use to connect to the internal clients for 192.168.2.10 and 192.168.3.10

Be VERY aware that these rules are just off the top of my head and I have not tested them in any way and I sometimes make gramatical errors :rolleyes:
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 3047
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Postby rhzb66 » Tue Jan 27, 2009 5:41 am

So, port forwarding is working well, but the firewall rules does not, I may login from the all internet IPs?

I tried:
firewall) # ipfwadm -I -i deny -P tcp -W $INET -D 0/0 22 -o
ipfwadm -I -a accept -P tcp -S 217.153.10.11/32 -D 192.168.2.10/32 5902
ipfwadm -I -a deny -P tcp -S 0/0 -D 192.168.2.10/32 5902

Any idea ?
User avatar
rhzb66
Newbie
 
Posts: 6
Joined: Mon Mar 06, 2006 6:11 am

Postby Lightning » Tue Jan 27, 2009 8:49 pm

I have just tested the rules as shown using port fowarding and multiple external IP addresses and they work as they should. So my first conclusions are one of these things. Either the client you are using is using some other type of packet than just tcp, which it should be using. Or there is possibly a typo in what you have entered into the rc_user file. Or the method you are using to test it is not working correctly. Or somehow the client uses different ports. Which using port forwarding pretty much eliminates that as a possibiliy.

As for your rules, you should not use one of your internal IP addresses for an input firewall rule, because it won't work as you are wanting it to.

If you want you can add a "-o" without the quotes on the end of each firewall rule and that will show on screen 3 each time that firewall rule is used. Which I would not leave it that way, but it is good for testing purposes.

If it is still not working please attach your /pkg/rc/rc_user file for us to look at for any grammatical errors. You may need to add a .txt extension to it so it will attach (maybe).
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 3047
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Postby rhzb66 » Wed Feb 11, 2009 2:19 am

Hi all and sorry for delay,
Finally it works but after FRESSCO restart not after rc_user restart, but in the meantime one expert explained to me that I have to do rc_masq restart after add new firewall rules in the rc_user file. It works too.
Thank you for all suggestions and help.
Roni
User avatar
rhzb66
Newbie
 
Posts: 6
Joined: Mon Mar 06, 2006 6:11 am


Return to FREESCO Support for v0.4.x

Who is online

Users browsing this forum: No registered users and 1 guest

cron