Date: Thu, 29 Mar 2001 23:05:38 -0500 From: "Christian S." <cschreiber@netrail.net> To: "Chip Wiegand" <chip@wiegand.org>, "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: RE: IPFW rules problem Message-ID: <MPEGJCJPPBKNCNBGOHGDCEKECPAA.cschreiber@netrail.net> In-Reply-To: <20010329200130.1f844009.chip@wiegand.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I dunno if it helps, but I always use my rules in the
xxx.xxx.xxx.xxx/yy notation for network/netmask rather than
xxx.xxx.xxx.xxx:yy.. no idea if it helps/hurts, but that's what I
use.. Just an idea.. :/
Christian
"...we have only twice as many genes as a fruit fly, or roughly the
same number as an ear of corn, about 30,000."
Ergo, we are all corn.
- -----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Chip Wiegand
Sent: Thursday, March 29, 2001 11:02 PM
To: FreeBSD Questions
Subject: IPFW rules problem
I have used Greg Lehey's book, the chapter on firewalls, to set up my
firewall. I basically copied his firewall rules to my machine,
figured
that'd be a good place to learn from. Anyway, now that I have done
that
I get the following error when doing ipfw show -
- -----------------------------------------------------
Flushed all rules.
00000 divert 8668 ip from any to any via xl1
00000 allow ip from any to any
[: missing ]
[: missing ]
[: missing ]
- -----------------------------------------------------
I cannot for the life of me find where to put the missing :'s. I have
included the rc.firewall file, maybe someone with sharper eyes than
mine
can tell me where the missing :'s belong -
- -----------------------------------------------------
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via xl1
/sbin/ipfw add pass all from any to any
# Allow everything in and out, completely wide open
if [ "${firewall}" = "open"]; then
/sbin/ipfw add 65000 pass all from any to any
# A reasonably secure firewall
# services to the net
elif [ "${firewall}" = "client"]; then
net = "192.168.1.0"
mask = "255.255.255.0"
ip = "192.168.1.10"
# Allow any traffic to or from my own network.
/sbin/ipfw add pass all from ${ip} to ${net}:${mask}
/sbin/ipfw add pass all from ${net}:${mask} to ${ip}
# Allow TCP through if setup succeeded
/sbin/ipfw add pass tcp from any to any established
# Allow setup of incoming mail
/sbin/ipfw add pass tcp from any to ${ip} 25 setup
# Allow setup of outgoing TCP connections only
/sbin/ipfw add pass tcp from ${ip} to any setup
# Do not allow setup of any other TCP connections
/sbin/ipfw add deny tcp from any to any setup
# Allow DNS queries out on the net
/sbin/ipfw add pass udp from any 53 to ${ip}
/sbin/ipfw add pass udp from ${ip} to any 53
# Allow NTP (Network Time Protocol) queries out on the net
/sbin/ipfw add pass udp from any 123 to ${ip}
/sbin/ipfw add pass udp form ${ip} to any 123
# Everything else is denied by default
elif [ "${firewall}" = "simple" ]; then
oif = "xl1"
onet = "208.194.173.0"
omask = "255.255.255.128"
oip = "208.194.173.26"
iif = "xl0"
inet = "192.168.1.0"
imask = "255.255.255.0"
iip = "192.168.1.10"
# Stop spoofing
/sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
/sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
# RFC1918 networks are the private, unroutable nets
/sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via
${oif}
/sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
/sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
# Allow TCP through if it is established
/sbin/ipfw add pass tcp from any to any established
# Allow setup of incoming email
/sbin/ipfw add pass tcp from any to ${oip} 25 setup
# Reject and Log all setup of incoming connections from the outside
/sbin/ipfw add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
/sbin/ipfw add pass tcp from any to any setup
# Allow DNS queries out in the world
/sbin/ipfw add pass udp from any 53 to ${oip}
/sbin/ipfw add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
/sbin/ipfw add pass udp from any 123 to ${oip}
/sbin/ipfw add pass udp from ${oip} to any 123
# Everything else is denied by default
elif [ "${firewall}" != "none" -a -r "${firewall}"]; then
/sbin/ipfw ${firewall}
fi
- ---------------------------------------------------------
- --
Chip Wiegand
Alternative Operating Systems
www.wiegand.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>;
iQA/AwUBOsQFaSkK9qTvGvteEQLnBwCfUKPQFv5BQLNiy0EcqgB+65rIpasAoK1U
ZQNp2y+MyJBCOXK8XEOgFurE
=rZ44
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MPEGJCJPPBKNCNBGOHGDCEKECPAA.cschreiber>