Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
computers:truenas:gateway [01-Nov-2021 13:58] – [Configure the Firewall] Steve Joyntcomputers:truenas:gateway [02-Feb-2025 16:14] (current) – external edit 127.0.0.1
Line 40: Line 40:
  
 ====== Preparing the Gateway Jail ====== ====== Preparing the Gateway Jail ======
 +
 +> IMPORTANT! 
 +> What follows is a work in progress.
 +> Some of this may be inaccurate or just plain wrong.
 +> Use these examples at your own risk, and only if you understand what's going on.
  
 1. Log in to your TrueNAS server as root using SSH or the Shell option of the TrueNAS Web Portal. 1. Log in to your TrueNAS server as root using SSH or the Shell option of the TrueNAS Web Portal.
Line 60: Line 65:
 </code> </code>
  
-====== Configure the Firewall ====== 
  
-This is just a basic configuration, allowing all devices on the network to communicate with each other. You may want to add some extra rules of your own.+====== Configure NAT ======
  
 <code> <code>
  
-jexec "ioc-${JAIL_NAME:?}" +jexec "ioc-${JAIL_NAME:?}" mkdir -p "${NAT_CONF%/*}"
-  mkdir -p "${FIREWALL_CONF%/*}"+
  
-jexec "ioc-${JAIL_NAME:?}" /bin/sh -c +jexec "ioc-${JAIL_NAME:?}" /bin/sh -c "cat >| ${NAT_CONF:?}" <<END
-"cat >| ${FIREWALL_CONF:?}" +
-<<END+
  
-# be quiet and flush all rules on start +use_sockets yes 
--q flush+same_ports yes
  
-# allow local traffic, deny RFC 1918 addresses on the outside +END
-add 00100 allow ip from any to any via lo0 +
-add 00110 deny ip from any to 127.0.0.0/+
-add 00120 deny ip from any to any not verrevpath in +
-add 00301 deny ip from 10.0.0.0/8 to any in via ${PUBLIC_INTERFACE:?+
-add 00302 deny ip from 172.16.0.0/12 to any in via ${PUBLIC_INTERFACE:?+
-add 00303 deny ip from 192.168.0.0/16 to any in via ${PUBLIC_INTERFACE:?}+
  
-check if incoming packets belong to a natted session, allow through if yes +public gateway interface needs nat 
-add 01000 divert natd ip from any to me in via ${PUBLIC_INTERFACE:?} +jexec "ioc-${JAIL_NAME:?}" sysrc natd_interface="${PUBLIC_INTERFACE:?}"
-add 01001 check-state+
  
-allow some traffic from the local net to the router +extra settings for nat are in the file we defined above 
-# SSH +jexec "ioc-${JAIL_NAME:?}" sysrc natd_flags="-${NAT_CONF:?}"
-add 04000 allow tcp from ${LAN_NETWORK:?} to me dst-port 22 in via ${LAN_INTERFACE:?} setup keep-state +
-# ICMP +
-add 04001 allow icmp from ${LAN_NETWORK:?} to me in via ${LAN_INTERFACE:?+
-# NTP +
-add 04002 allow tcp from ${LAN_NETWORK:?} to me dst-port 123 in via ${LAN_INTERFACE:?} setup keep-state +
-add 04003 allow udp from ${LAN_NETWORK:?} to me dst-port 123 in via ${LAN_INTERFACE:?} keep-state +
-# DNS +
-add 04006 allow udp from ${LAN_NETWORK:?} to me dst-port 53 in via ${LAN_INTERFACE:?+
-# DHCP +
-add 04007 allow udp from any to any dst-port 67 in via ${LAN_INTERFACE:?}+
  
-# drop everything else +</code>
-add 04009 deny ip from ${LAN_NETWORK:?} to me+
  
-# pass outgoing packets (to be natted) on to special NAT rule +====== Configure Simple Firewall ======
-add 04109 skipto 61000 ip from ${LAN_NETWORK:?} to any in via ${LAN_INTERFACE:?} keep-state+
  
-# allow all outgoing traffic from the router (maybe you should be more restrictive) +> IMPORTANT! 
-add 05010 allow ip from me to any out keep-state +> This firewall does not filter any trafficIt allows anything to talk to anything
- +> At this stage I just want to trigger NAT as appropriate to allow hosts on different networks to communicate. 
-# Drop everything that has come so far. +> The "real" firewall is provided by my Internet router (which blocks all incoming requests)not this configuration. 
-# This means it doesn't belong to an established connection+> If your TrueNAS box connects directly to the Internet, DO NOT USE THIS EXAMPLE !!!
-# Don't log the most noisy scans. +
-add 59998 deny icmp from any to me +
-add 59999 deny ip from any to me dst-port 135,137-139,445,4665 +
-add 60000 deny log tcp from any to any established +
-add 60000 deny log ip from any to any +
- +
-# this is the NAT rule. Only outgoing packets from the local net will come here. +
-# First, nat them, then pass them on (againyou may choose to be more restrictive) +
-add 61000 divert natd ip from ${LAN_NETWORK:?to any out via ${PUBLIC_INTERFACE:?+
-add 61001 allow ip from any to any +
- +
-END +
- +
-</code> +
- +
-====== Configure NAT ======+
  
 <code> <code>
  
-jexec "ioc-${JAIL_NAME:?}" \ +# use the standard firewall template called "open" 
-  mkdir -p "${NAT_CONF%/*}"+jexec "ioc-${JAIL_NAME:?}" sysrc firewall_script="/etc/rc.firewall" 
 +jexec "ioc-${JAIL_NAME:?}" sysrc firewall_type="open"
  
-jexec "ioc-${JAIL_NAME:?}" /bin/sh -c \ +# log more while testing, or be quiet in normal operation? 
-"cat >| ${NAT_CONF:?}+jexec "ioc-${JAIL_NAME:?}" sysrc firewall_quiet="YES"
-<<END +
- +
-unregistered_only +
-interface ${PUBLIC_INTERFACE:?+
-use_sockets +
-dynamic +
-# dyamically open fw for ftp, irc +
-# punch_fw 2000:50 +
- +
-END+
  
 </code> </code>
Line 154: Line 111:
  
 # enable IP forwarding # enable IP forwarding
-jexec "ioc-${JAIL_NAME:?}" +jexec "ioc-${JAIL_NAME:?}" sysrc gateway_enable="YES"
-  sysrc gateway_enable="YES" +
-   +
-# enable firewall +
-jexec "ioc-${JAIL_NAME:?}"+
-  sysrc firewall_enable="YES"+
  
-name of firewall config +enable the firewall service (aka ipfw) 
-jexec "ioc-${JAIL_NAME:?}" +jexec "ioc-${JAIL_NAME:?}" sysrc firewall_enable="YES"
-  sysrc firewall_type="${FIREWALL_CONF:?}" +
- +
-# log more while testing, or be quiet in normal operation? +
-jexec "ioc-${JAIL_NAME:?}"+
-  sysrc firewall_quiet="YES"+
  
 # enable the NAT service # enable the NAT service
-jexec "ioc-${JAIL_NAME:?}" +jexec "ioc-${JAIL_NAME:?}" sysrc natd_enable="YES"
-  sysrc natd_enable="YES+
- +
-# public gateway needs nat +
-jexec "ioc-${JAIL_NAME:?}"+
-  sysrc natd_interface="${PUBLIC_INTERFACE:?}" +
- +
-# extra settings for nat +
-jexec "ioc-${JAIL_NAME:?}"+
-  sysrc natd_flags="-f ${NAT_CONF:?}"+
  
 # start the firewall & natd   # start the firewall & natd  
-jexec "ioc-${JAIL_NAME:?}" +jexec "ioc-${JAIL_NAME:?}" service ipfw start
-  service ipfw start+
  
 </code> </code>
 +
 +====== Firewall and Debugging Logs ======
 +
 +If you've turned on any logging for the ipfw service or natd, the output can be seen on the TrueNAS server OUTSIDE THE JAIL in this file...
 +<code>/var/log/security</code>
  
 ====== Credits ====== ====== Credits ======
Line 195: Line 137:
   * [[https://www.freebsd.org/cgi/man.cgi?natd]]   * [[https://www.freebsd.org/cgi/man.cgi?natd]]
   * [[https://www.adminbyaccident.com/freebsd/how-to-freebsd/how-to-configure-the-ipfw-firewall-on-freebsd/]]   * [[https://www.adminbyaccident.com/freebsd/how-to-freebsd/how-to-configure-the-ipfw-firewall-on-freebsd/]]
 +  * [[https://www.asksaro.com/freebsd/setting-up-a-network-gateway-using-ipfw-and-natd/]]
 +
  
  • computers/truenas/gateway.1635775117.txt.gz
  • Last modified: 02-Feb-2025 16:12
  • (external edit)