Date: Thu, 29 Mar 2001 23:05:38 -0500 From: "Christian S." <cschreiber@netrail.net> To: "Chip Wiegand" <chip@wiegand.org>, "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: RE: IPFW rules problem Message-ID: <MPEGJCJPPBKNCNBGOHGDCEKECPAA.cschreiber@netrail.net> In-Reply-To: <20010329200130.1f844009.chip@wiegand.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I dunno if it helps, but I always use my rules in the xxx.xxx.xxx.xxx/yy notation for network/netmask rather than xxx.xxx.xxx.xxx:yy.. no idea if it helps/hurts, but that's what I use.. Just an idea.. :/ Christian "...we have only twice as many genes as a fruit fly, or roughly the same number as an ear of corn, about 30,000." Ergo, we are all corn. - -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Chip Wiegand Sent: Thursday, March 29, 2001 11:02 PM To: FreeBSD Questions Subject: IPFW rules problem I have used Greg Lehey's book, the chapter on firewalls, to set up my firewall. I basically copied his firewall rules to my machine, figured that'd be a good place to learn from. Anyway, now that I have done that I get the following error when doing ipfw show - - ----------------------------------------------------- Flushed all rules. 00000 divert 8668 ip from any to any via xl1 00000 allow ip from any to any [: missing ] [: missing ] [: missing ] - ----------------------------------------------------- I cannot for the life of me find where to put the missing :'s. I have included the rc.firewall file, maybe someone with sharper eyes than mine can tell me where the missing :'s belong - - ----------------------------------------------------- /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via xl1 /sbin/ipfw add pass all from any to any # Allow everything in and out, completely wide open if [ "${firewall}" = "open"]; then /sbin/ipfw add 65000 pass all from any to any # A reasonably secure firewall # services to the net elif [ "${firewall}" = "client"]; then net = "192.168.1.0" mask = "255.255.255.0" ip = "192.168.1.10" # Allow any traffic to or from my own network. /sbin/ipfw add pass all from ${ip} to ${net}:${mask} /sbin/ipfw add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded /sbin/ipfw add pass tcp from any to any established # Allow setup of incoming mail /sbin/ipfw add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only /sbin/ipfw add pass tcp from ${ip} to any setup # Do not allow setup of any other TCP connections /sbin/ipfw add deny tcp from any to any setup # Allow DNS queries out on the net /sbin/ipfw add pass udp from any 53 to ${ip} /sbin/ipfw add pass udp from ${ip} to any 53 # Allow NTP (Network Time Protocol) queries out on the net /sbin/ipfw add pass udp from any 123 to ${ip} /sbin/ipfw add pass udp form ${ip} to any 123 # Everything else is denied by default elif [ "${firewall}" = "simple" ]; then oif = "xl1" onet = "208.194.173.0" omask = "255.255.255.128" oip = "208.194.173.26" iif = "xl0" inet = "192.168.1.0" imask = "255.255.255.0" iip = "192.168.1.10" # Stop spoofing /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface # RFC1918 networks are the private, unroutable nets /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} # Allow TCP through if it is established /sbin/ipfw add pass tcp from any to any established # Allow setup of incoming email /sbin/ipfw add pass tcp from any to ${oip} 25 setup # Reject and Log all setup of incoming connections from the outside /sbin/ipfw add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection /sbin/ipfw add pass tcp from any to any setup # Allow DNS queries out in the world /sbin/ipfw add pass udp from any 53 to ${oip} /sbin/ipfw add pass udp from ${oip} to any 53 # Allow NTP queries out in the world /sbin/ipfw add pass udp from any 123 to ${oip} /sbin/ipfw add pass udp from ${oip} to any 123 # Everything else is denied by default elif [ "${firewall}" != "none" -a -r "${firewall}"]; then /sbin/ipfw ${firewall} fi - --------------------------------------------------------- - -- Chip Wiegand Alternative Operating Systems www.wiegand.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOsQFaSkK9qTvGvteEQLnBwCfUKPQFv5BQLNiy0EcqgB+65rIpasAoK1U ZQNp2y+MyJBCOXK8XEOgFurE =rZ44 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MPEGJCJPPBKNCNBGOHGDCEKECPAA.cschreiber>