Date: Thu, 29 Mar 2001 20:01:30 -0800 From: Chip Wiegand <chip@wiegand.org> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: IPFW rules problem Message-ID: <20010329200130.1f844009.chip@wiegand.org>
next in thread | raw e-mail | index | archive | help
I have used Greg Lehey's book, the chapter on firewalls, to set up my
firewall. I basically copied his firewall rules to my machine, figured
that'd be a good place to learn from. Anyway, now that I have done that
I get the following error when doing ipfw show -
-----------------------------------------------------
Flushed all rules.
00000 divert 8668 ip from any to any via xl1
00000 allow ip from any to any
[: missing ]
[: missing ]
[: missing ]
-----------------------------------------------------
I cannot for the life of me find where to put the missing :'s. I have
included the rc.firewall file, maybe someone with sharper eyes than mine
can tell me where the missing :'s belong -
-----------------------------------------------------
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via xl1
/sbin/ipfw add pass all from any to any
# Allow everything in and out, completely wide open
if [ "${firewall}" = "open"]; then
/sbin/ipfw add 65000 pass all from any to any
# A reasonably secure firewall
# services to the net
elif [ "${firewall}" = "client"]; then
net = "192.168.1.0"
mask = "255.255.255.0"
ip = "192.168.1.10"
# Allow any traffic to or from my own network.
/sbin/ipfw add pass all from ${ip} to ${net}:${mask}
/sbin/ipfw add pass all from ${net}:${mask} to ${ip}
# Allow TCP through if setup succeeded
/sbin/ipfw add pass tcp from any to any established
# Allow setup of incoming mail
/sbin/ipfw add pass tcp from any to ${ip} 25 setup
# Allow setup of outgoing TCP connections only
/sbin/ipfw add pass tcp from ${ip} to any setup
# Do not allow setup of any other TCP connections
/sbin/ipfw add deny tcp from any to any setup
# Allow DNS queries out on the net
/sbin/ipfw add pass udp from any 53 to ${ip}
/sbin/ipfw add pass udp from ${ip} to any 53
# Allow NTP (Network Time Protocol) queries out on the net
/sbin/ipfw add pass udp from any 123 to ${ip}
/sbin/ipfw add pass udp form ${ip} to any 123
# Everything else is denied by default
elif [ "${firewall}" = "simple" ]; then
oif = "xl1"
onet = "208.194.173.0"
omask = "255.255.255.128"
oip = "208.194.173.26"
iif = "xl0"
inet = "192.168.1.0"
imask = "255.255.255.0"
iip = "192.168.1.10"
# Stop spoofing
/sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
/sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
# RFC1918 networks are the private, unroutable nets
/sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
/sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
/sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
# Allow TCP through if it is established
/sbin/ipfw add pass tcp from any to any established
# Allow setup of incoming email
/sbin/ipfw add pass tcp from any to ${oip} 25 setup
# Reject and Log all setup of incoming connections from the outside
/sbin/ipfw add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
/sbin/ipfw add pass tcp from any to any setup
# Allow DNS queries out in the world
/sbin/ipfw add pass udp from any 53 to ${oip}
/sbin/ipfw add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
/sbin/ipfw add pass udp from any 123 to ${oip}
/sbin/ipfw add pass udp from ${oip} to any 123
# Everything else is denied by default
elif [ "${firewall}" != "none" -a -r "${firewall}"]; then
/sbin/ipfw ${firewall}
fi
---------------------------------------------------------
--
Chip Wiegand
Alternative Operating Systems
www.wiegand.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010329200130.1f844009.chip>