Date: Fri, 21 Oct 2005 08:24:31 +0200 From: G Bryant <gbryant@roamingsolutions.net> To: Daemon <daemon@foxchat.net>, freebsd-ipfw@freebsd.org Subject: Re: ipfw firewall help Message-ID: <4358899F.1090505@roamingsolutions.net> In-Reply-To: <435849B9.8040509@foxchat.net> References: <435849B9.8040509@foxchat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
I found my rules worked best in this order:
(You will need to correct the syntax - just typed up the order for you
quickly)
Deny spoofed
Allow localhost
Allow all from any to any via $iif
divert natd all from any to any in via $oif
#insert bandwidth shaping rules
skipto 5000 all from $iip to any out via $oif
#allow all from any to me in via $oif # if you want to receive traffic
from internet to this box. Your decision if you need it.
deny all from any to any out
allow all from any to $iip in via $oif
#allow all from me to any out via $oif # traffic from this box out to
the internet. Your decision if you need it.
deny all from any to any in
5000 nat all from any to any out via $oif
allow all from any to any out
This is a very "open" set of rules - your choice.
Hope this helps.
Regards, Graham
Daemon wrote:
>I'm trying to build a firewall from scratch using man ipfw and what I
>can find on the net. I'm doing bandwidth shaping and I'm not quite sure
>where it goes as far as rule numbers. From what I can see, it matters
>and I'd like to do it right. I'm using an OPEN firewall with NATD
>because I'm on cable broadband with a static IP. Here is what I have.
>
>00010 52 2446 pipe 1 ip from 172.16.140.0/24 to any xmit re0
>00020 0 0 pipe 2 ip from any to 172.16.140.0/24 recv re0
>00050 274 24955 divert 8668 ip from any to any via re0
>00100 50 5642 allow ip from any to any via lo0
>00200 0 0 deny ip from any to 127.0.0.0/8
>00300 0 0 deny ip from 127.0.0.0/8 to any
>65535 4658 547779 allow ip from any to any
>
>The actual rule set for the bandwidth shaping is:
>
># Traffic Shaping.
># oif="re0" # ${oif} Public Interface.
># iif="re1" # ${iif} Internal nic.
># iip="172.16.140.0/24" # ${iip}
>
>${fwcmd} add 10 pipe 1 all from ${iip} to any xmit ${oif}
>${fwcmd} pipe 1 config mask src-ip 0xffffff00 bw 35Kbits/s queue 40Kbytes
>
>${fwcmd} add 20 pipe 2 all from any to ${iip} recv ${oif}
>${fwcmd} pipe 2 config mask dst-ip 0xffffff00 bw 4000Kbits/s queue 40Kbytes
>
>I've found lots of stuff on "how" to set it up but I can't seem to find
>anything on where the rules go. Any help would be greatly appreciated.
>
>Regards,
>
>Mark
>_______________________________________________
>freebsd-ipfw@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4358899F.1090505>