Date: Fri, 8 Apr 2005 15:26:11 +0200 From: Gareth Bailey <gjbailey@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Fwd: IPF Firewall Rules... help! Message-ID: <48a5f32a0504080626383f5441@mail.gmail.com> In-Reply-To: <48a5f32a05040806253f07f2e9@mail.gmail.com> References: <48a5f32a05040805163282ec0a@mail.gmail.com> <MIEPLLIBMLEEABPDBIEGKEMFHDAA.bob@a1poweruser.com> <48a5f32a05040806253f07f2e9@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
------=_Part_33145_16289997.1112966771283 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi Bob, Thanks, I have read the handbook and a couple of other articles. I have attached my ipf and ipnat rule lists. Please advise on the commented out Bit torrent sections. The windows clients want to run Limewire. WRT the LAN environment, we have a couple of Windows XP SP2 clients, and the freeBSD gateway. The external connection from the gateway runs upstairs into the block's router, which is connected to an ADSL router (no static IP). Thanks for your help! Gareth On Apr 8, 2005 2:51 PM, bob@a1poweruser.com <bob@a1poweruser.com> wrote: > Read the official FreeBSD handbook firewall section. It has working > examples. Any more help can only be offered if you post your rules > and give details of your LAN environment. > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Gareth > Bailey > Sent: Friday, April 08, 2005 8:16 AM > To: freebsd-questions > Subject: IPF Firewall Rules... help! > > We have a freebsd gateway server for windows clients. We use IPF > with nat. > > What ipf rules and ipnat rules are required on the gateway for > Limewire peer-to-peer to connect on the clients. > > If you can help, please do... i'm doing something wrong! > > Thanks > Gareth > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > ------=_Part_33145_16289997.1112966771283 Content-Type: application/octet-stream; name=ipf.rules Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="ipf.rules" ################################################################# # No restrictions on Inside Lan Interface for private network # Not needed unless you have Lan ################################################################# pass out quick on xl0 all pass in quick on xl0 all ################################################################# # No restrictions on Loopback Interface ################################################################# pass in quick on lo0 all pass out quick on lo0 all ################################################################# # Bit-torrent section ################################################################# #pass in quick on rl0 proto tcp/udp from any to any port 6300 >< 7000 #pass out quick on rl0 proto tcp/udp from any to any port 6300 >< 7000 #pass out quick on rl0 proto tcp from any to any port = 6346 flags S/SAFR keep state ################################################################# # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network # or from this gateway server destine for the public internet. ################################################################# # FTI DSL name servers pass out quick on rl0 proto tcp from any to 196.41.0.10 port = 53 flags S keep state pass out quick on rl0 proto udp from any to 196.41.0.10 port = 53 keep state pass out quick on rl0 proto tcp from any to 196.41.0.11 port = 53 flags S keep state pass out quick on rl0 proto udp from any to 196.41.0.11 port = 53 keep state # Allow out non-secure standard www function pass out quick on rl0 proto tcp from any to any port = 80 flags S keep state # Allow out secure www function https over TLS SSL pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state # Allow out send & get email function pass out quick on rl0 proto tcp from any to any port = 110 flags S keep state pass out quick on rl0 proto tcp from any to any port = 25 flags S keep state # LAN FTP pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) pass out quick on rl0 proto tcp from any to any port = 22 flags S keep state # Allow out FBSD CVSUP function pass out quick on rl0 proto tcp from any to any port = 5999 flags S keep state # Allow out ping to public Internet pass out quick on rl0 proto icmp from any to any icmp-type 8 keep state # Allow out whois for LAN PC to public Internet pass out quick on rl0 proto tcp from any to any port = 43 flags S keep state # Allow out ftp between ports 3500 and 3600 (Courtesy) pass out quick on rl0 proto tcp from any to any port 3500 <> 3600 flags S keep state # Block and log only the first occurrence of everything # else that.s trying to get out. # This rule enforces the block all by default logic. block out log first quick on rl0 all ################################################################# # Interface facing Public internet (Inbound Section) # Interrogate packets originating from the public internet # destine for this gateway server or the private network. ################################################################# # Block all inbound traffic from non-routable or reserved address spaces block in quick on rl0 from 192.168.0.0/16 to any #RFC 1918 private IP block in quick on rl0 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on rl0 from 10.0.0.0/8 to any #RFC 1918 private IP block in quick on rl0 from 127.0.0.0/8 to any #loopback block in quick on rl0 from 0.0.0.0/8 to any #loopback block in quick on rl0 from 169.254.0.0/16 to any #DHCP auto-config block in quick on rl0 from 192.0.2.0/24 to any #reserved for doc's block in quick on rl0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on rl0 from 224.0.0.0/3 to any #Class D & E multicast ##### Block a bunch of different nasty things. ############ # That I don.t want to see in the log # Block frags block in quick on rl0 all with frags # Block short tcp packets block in quick on rl0 proto tcp all with short # block source routed packets block in quick on rl0 all with opt lsrr block in quick on rl0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on rl0 proto tcp from any to any flags FUP # Block anything with special options block in quick on rl0 all with ipopts # Block public pings block in quick on rl0 proto icmp all icmp-type 8 # Block ident block in quick on rl0 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 block in log first quick on rl0 proto tcp/udp from any to any port = 137 block in log first quick on rl0 proto tcp/udp from any to any port = 138 block in log first quick on rl0 proto tcp/udp from any to any port = 139 block in log first quick on rl0 proto tcp/udp from any to any port = 81 # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP.s DHCP server as it.s the only # authorized source to send this packet type. Only necessary for # cable or DSL configurations. This rule is not needed for # .user ppp. type connection to the public internet. # This is the same IP address you captured and # used in the outbound section. #pass in log quick on rl0 proto udp from 192.168.150.5 to any port = 67 keep state #pass in log quick on rl0 proto udp from 192.168.150.5 to any port = 68 keep state # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops an .denial of service. attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on rl0 all ################### End of rules file ##################################### ------=_Part_33145_16289997.1112966771283 Content-Type: application/octet-stream; name=ipnat.rules Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="ipnat.rules" # # Interface: # rl0 - external to DHCP server # # NAT policy: # + Use IP Filter FTP proxy # + Use IP Filter IKE proxy # + Use IP Filter RealAudio proxy # + NAT UDP and TCP packets from internal hosts to external IP # + NAT ICMP packets from internal hosts to external IP # # share and enjoy, # hoang@muine.org # Oct 25, 2001 # #bit torrent #rdr rl0 0.0.0/0 port 6881 -> 192.168.0.2,192.168.0.3 port 6881 #rdr rl0 0.0.0/0 port 6882 -> 192.168.0.2,192.168.0.3 port 6882 #rdr rl0 0.0.0/0 port 6883 -> 192.168.0.2,192.168.0.3 port 6883 #rdr rl0 0.0.0/0 port 6884 -> 192.168.0.2,192.168.0.3 port 6884 #rdr rl0 0.0.0/0 port 6885 -> 192.168.0.2,192.168.0.3 port 6885 #rdr rl0 0.0.0/0 port 6886 -> 192.168.0.2,192.168.0.3 port 6886 #rdr rl0 0.0.0/0 port 6887 -> 192.168.0.2,192.168.0.3 port 6887 #rdr rl0 0.0.0/0 port 6888 -> 192.168.0.2,192.168.0.3 port 6888 #rdr rl0 0.0.0/0 port 6889 -> 192.168.0.2,192.168.0.3 port 6889 # ------------------------------------------------------------ # Use ipfilter FTP proxy for the firewall doing transfer mode # active. # ------------------------------------------------------------ map rl0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp # ------------------------------------------------------------ # Use ipfilter FTP proxy for hosts behind NAT doing transfer # mode active. # ------------------------------------------------------------ map rl0 192.168.0.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp # ----------------------------------------------------------- # Use ipfilter IKE proxy for ESP packets for hosts behind NAT # IP Filter 3.4.21 and beyond only. # ----------------------------------------------------------- map rl0 192.168.0.0/24 -> 0.0.0.0/32 proxy port 500 ipsec/udp # ----------------------------------------------------------- # Use ipfilter RealAudio proxy for hosts behind NAT # ----------------------------------------------------------- map rl0 192.168.0.0/24 -> 0.0.0.0/32 proxy port 7070 raudio/tcp # ----------------------------------------------------------- # Map all internal UDP and TCP traffic to the external IP address # ----------------------------------------------------------- map rl0 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000 # ----------------------------------------------------------- # Map all other traffic e.g. ICMP to the external IP address # ----------------------------------------------------------- map rl0 192.168.0.0/24 -> 0.0.0.0/32 ------=_Part_33145_16289997.1112966771283--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48a5f32a0504080626383f5441>