Date: Wed, 03 Sep 2003 14:24:39 +0200 From: Arvinn Lokkebakken <arvinn@sandakerveien.net> To: freebsd-questions@freebsd.org Subject: Re: ipfw with four interfaces Message-ID: <3F55DD87.4010601@sandakerveien.net> In-Reply-To: <046f01c370d1$9eff8ed0$0201a8c0@dredster> References: <4438.212.71.64.140.1062415470.squirrel@webmail.sandakeronline.com> <046f01c370d1$9eff8ed0$0201a8c0@dredster>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Try having the very first rule divert ip from any to any to natd Then, > you > can configure NATD to only effect RFC1918 packets by adding a -u to the > command line. NAT will take the packet, process it if it's an RFC 1918 > address, if not, allow it to pass and then reinject it into the > firewall at > rule 2 (or next available rule) and continue processing the ruleset. > Like I described I allready use this flag. The problem with having divert at the top is that I get thrown off my ssh connection every time when I try to reload natd or ipfw. Does it matter if I allow ssh from my network before I divert packets to natd? > I've not been awake for long and have had little to no Mt Dew yet so > don't > hold this against me. Without going over this for awhile, which I > recommend > when doing a firewall, this may be something in the neighborhood that > you're > looking for. > > In your /usr/local/etc/natd.sh > > #!/bin/sh > natd -interface xl2 -s -m -u > > Or if you start it from rc.conf: > > natd_flags="-s -m -u " > > I use a natd config file with all these flags so that is taken care of. > The -s tells it to use sockets so that FTP doesn't get broken. You may > not > need this. > The -m tells natd to attempt to use the same socket as the originating > host. > The -u tells natd to only translate RFC 1918 packets. > > In your firewall rules file: > > ############### > # more fwrules > fwcmd="/sbin/ipfw" > extif="xl2" > dmzif="fxp0" > lanif="xl0" > motorif="xl1" > # > # > $fwcmd -f flush > # > # > #NATD Divert > $fwcmd add 1 divert natd all from any to any via xl2 > # > #You want blocked outbound ports to match early on in the firewall. > # > # Blocking ports out to Internet that I don't like: > $fwcmd add 100 deny tcp from any to any 135-139 out via $extif > $fwcmd add 100 deny tcp from any to any 445 out via $extif > # > #Then your allows: > # > #Network Allows > $fwcmd add 300 allow ip from any to any via $extif > $fwcmd add 300 allow ip from any to any via $dmxif > $fwcmd add 300 allow ip from any to any via $lanif > $fwcmd add 300 allow ip from any to any via $motorif > > Hm.. You really mean I should add that first allow line there? This four rules together is basically the same as ipfw add allow ip from any to any isn't it? > # Allow http to the whole dmz from Internet: > $fwcmd add 400 allow tcp from any to w.x.y.80/28 http via $extif > # > # Allow smtp and pop3 to the mailserver from Internet: > $fwcmd add 500 allow tcp from any to w.x.y.84 smtp,pop3 via $extif > > Aren't these two rules overlapping the first 300 rule? > #Lastly, your denies > # > #Network Denies > # > # Default Block > $fwcmd add 65000 deny ip from any to any > > Hope this helps you out. > > > Haven't been able to try them out yet, but I don't feel allowing The first 300 rule will probably help me having the firewall allowing traffic for me, but I wasn't really planning to allow everything in. And will deny rules have effect when the traffic allready is allowed? Arvinn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F55DD87.4010601>