Date: Sun, 28 Jan 2001 01:15:29 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Benjamin Ossei <ben@cahostnet.net> Cc: questions@FreeBSD.ORG Subject: Re: firewall rules Message-ID: <20010128011528.U10761@rfx-216-196-73-168.users.reflex> In-Reply-To: <20010128075316.6193C36F9@sitemail.everyone.net>; from ben@cahostnet.net on Sat, Jan 27, 2001 at 11:53:15PM -0800 References: <20010128075316.6193C36F9@sitemail.everyone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[Your paragraphs are all on one line. Please add newlines at about 72
columns or so.]
On Sat, Jan 27, 2001 at 11:53:15PM -0800, Benjamin Ossei wrote:
> I have a small home network that I'm going to use ipfw and nat for.
> I was wondering if anyone had a custom ruleset that I could use as a
> baseline to write my own rules. I am currently using the
> rc.firewall and I'm a little confused as to what they are trying to
> do. They stop spoofing on the private networks but I get permission
> deny when I run the "simple" profile for natd and other things. I
> also can not go out of the firewall. I know this will take time to
> tweak. Any help will be appreciated.
>
> If I can take the spoofing config out or make it work I'll like to
> do that. I will like to protect my network from others trying to
> fake it like they on my network so I feel I should keep it.
Here is the rough outline of my "all-purpose" rules. They allow
anything to go out and no incoming connections. All connections to the
outside are maintained with dynamic rules. Anything goes on the
internal net. I do not bother RFC1918 sourced packets; I've never
really seen the point. I do block anything with a source of my
internal net.
############
# Only in rare cases do you want to change these rules
$fwcmd add 100 pass all from any to any via lo0
$fwcmd add 200 deny log all from any to 127.0.0.0/8
############
# Stop spoofing
$fwcmd add deny log ip from ${oip} to not ${obc} recv ${oif}
$fwcmd add deny log ip from ${iip} to not ${ibc} recv ${iif}
# Let's block anything that is spoofed from our internal net
# (even though it would not pass rules farther down, I don't want it
# getting to natd).
$fwcmd add deny log ip from ${net} to any in via ${oif}
############
# Jump ahead with stuff destined for this machine
$fwcmd add skipto 10000 ip from any to ${oip} in via ${oif}
$fwcmd add skipto 20000 ip from any to ${obc} in via ${oif}
############
# Block anything not meant for this machine
$fwcmd add deny ip from any to any in via fxp0
############
# These rules are required for using natd. All packets are passed to
# natd before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd,
# minus any divert rules (see natd(8)).
if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
$fwcmd 10000 add divert natd all from any to any via ${natd_interface}
fi
# Prototype setups.
# Just keeping the 'open' for testing purposes
if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then
$fwcmd add 65000 pass all from any to any
else
$fwcmd add check-state
# These are split just for monitoring
$fwcmd add pass tcp from ${oip} to any out via ${oif} keep-state
$fwcmd add pass udp from ${oip} to any out via ${oif} keep-state
$fwcmd add pass icmp from ${oip} to any out via ${oif} keep-state
$fwcmd add pass ip from ${oip} to any out via ${oif} keep-state
$fwcmd add pass icmp from any to any icmptypes 0,3,11
$fwcmd add pass ip from ${net} to ${iip} in via ${iif}
$fwcmd add pass ip from ${iip} to ${net} out via ${iif}
$fwcmd add pass ip from ${net} to any in via ${iif} keep-state
$fwcmd add deny log tcp from any to any in via ${oif} setup
$fwcmd add deny log udp from any to any in via ${oif}
fi
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010128011528.U10761>