Date: Sun, 21 Jul 2002 19:31:53 +0200 From: thrawn@linux.nu To: freebsd-questions@freebsd.org Subject: IPFW problem Message-ID: <20020721193153.A5921@dasboot.birch.se>
next in thread | raw e-mail | index | archive | help
Hi, First I want to thank the person who gave this script for me. I have gotten a firewall script from a nice person on this mailinglist. But I have changed stuff and it as a think should be right and suits for me. But I can't get it to work even thought I have tryed everthing I can think of. Ofcourse Im not an ipfw expert so perhaps I have forgotten something. I guess Im doing something wrong in any way but I can't find it. The thing I want to get working is nat, im using tun0 for that with ppp. But if I use this rules, It won't let me use my dial up connection with this ruleset. At first, I thought that it was the last rule that did something nasty to my script, but when i removed it, it didn't help. My LAN is using xl0 as the ethernet interface. It has 192.168.0.1/24 as ip/netmask. Any sugesstions will be apritated. Here is the firewall script: # Flush out the list before we begin. /sbin/ipfw -q -f flush # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. cmd="/sbin/ipfw add" # Set defaults # set these to your outside interface network and ip # for dynamic IP address from ISP use there range oif="ppp0" # public internet connection odns1="62.66.1.5" # ISP's dns server 1 IP address odns2="62.66.1.8" # ISP's dns server 2 IP address # This is the start of the rules. # All traffic coming in from the internet or # leaving the local LAN start here # Internal gateway housekeeping # Rules # 100 exempt everything on localhost behind the firewall from this ruleset # Rules # 110 & 120 deny any reference to the localhost default IP address. $cmd 00100 allow all from any to any via lo0 # allow all localhost $cmd 00110 deny log all from any to 127.0.0.0/8 # deny use of localhost IP $cmd 00120 deny log all from 127.0.0.0/8 to any # deny use of localhost IP $cmd 00130 allow ip from any to any via xl0 # allow all local LAN $cmd 00140 allow ip from 192.168.0.0/24 to 0.0.0.0/0 $cmd 00145 allow tcp from 192.168.0.0/24 to 0.0.0.0/0 $cmd 00150 allow udp from 192.168.0.0/24 to 0.0.0.0/0 $cmd 00155 allow icmp from 192.168.0.0/24 to 0.0.0.0/0 # replace rl0 with your interface name to your private lan #*** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY *** TESTING PURPOSES # The following rule if un-commented will change the behavior of this # FireWall rule set from closed to completely open, thus bypassing all of the # following rules. This single rule is placed here for TESTING PURPOSES #$cmd 00160 allow log logamount 500 all from any to any #$cmd 00161 allow all from any to any ######## control section ############################################ # Start of IPFW advanced Stateful Filtering using "dynamic" rules. # The check-state statement behavior is to match bi-directional packet traffic # flow between source and destination using protocol/IP/port/sequence number. # The dynamic rule has a limited lifetime which is controlled by a set of # sysctl(8) variables. The lifetime is refreshed every time a matching # packet is found in the dynamic table. # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. $cmd 00200 check-state # Deny all fragments as bogus packets $cmd 00250 deny all from any to any frag in via $oif # Deny ACK packets that did not match the dynamic rule table $cmd 00260 deny tcp from any to any established in via $oif ######## outbound section ############################################ # Interrogate packets originating from behind the firewall, private net. # Upon a rule match, it's keep-state option will create a dynamic rule. # Allow out non-secure standard www function $cmd 00300 allow tcp from any to any 80 out via $oif setup keep-state # Allow out secure www function https over TLS SSL $cmd 00301 allow tcp from any to any 443 out via $oif setup keep-state # Allow out access to my ISP's Domain name server. $cmd 00310 allow tcp from any to $odns1 53 out via $oif setup keep-state $cmd 00311 allow udp from any to $odns1 53 out via $oif keep-state $cmd 00315 allow tcp from any to $odns2 53 out via $oif setup keep-state $cmd 00316 allow udp from any to $odns2 53 out via $oif keep-state # Allow out send & get email function $cmd 00330 allow tcp from any to any 25 out via $oif setup keep-state $cmd 00331 allow tcp from any to any 110 out via $oif setup keep-state # Allow out & in FBSD (make install & CVSUP) functions # Basically give user id root "GOD" privileges. $cmd 00340 allow tcp from me to any out via $oif setup keep-state uid root # Allow out & in console traceroot command $cmd 00342 allow udp from me to any 33435-33500 out via $oif keep-state $cmd 00343 allow icmp from any to me icmptype 3,11 in via $oif limit src-addr 2 # Allow out ping $cmd 00350 allow icmp from any to any out via $oif keep-state # Allow out ssh $cmd 00380 allow tcp from any to any 22 out via $oif setup keep-state # Allow out TELNET $cmd 00390 allow tcp from any to any 23 out via $oif setup keep-state # Allow out Network Time Protocol (NTP) queries $cmd 00394 allow tcp from any to any 123 out via $oif setup keep-state $cmd 00395 allow udp from any to any 123 out via $oif keep-state # Allow out Time $cmd 00396 allow tcp from any to any 37 out via $oif setup keep-state $cmd 00397 allow udp from any to any 37 out via $oif keep-state # Allow out ident $cmd 00400 allow tcp from any to any 113 out via $oif setup keep-state $cmd 00401 allow udp from any to any 113 out via $oif keep-state # Allow out IRC $cmd 00410 allow tcp from any to any 194 out via $oif setup keep-state $cmd 00411 allow udp from any to any 194 out via $oif keep-state # Allow out whois $cmd 00412 allow tcp from any to any 43 out via $oif setup keep-state $cmd 00413 allow udp from any to any 43 out via $oif keep-state # Allow out whois++ $cmd 00415 allow tcp from any to any 63 out via $oif setup keep-state $cmd 00416 allow udp from any to any 63 out via $oif keep-state # Allow out finger $cmd 00420 allow tcp from any to any 79 out via $oif setup keep-state $cmd 00421 allow udp from any to any 79 out via $oif keep-state # Allow out nntp news $cmd 00425 allow tcp from any to any 119 out via $oif setup keep-state $cmd 00426 allow udp from any to any 119 out via $oif keep-state # Allow out gopher $cmd 00430 allow tcp from any to any 70 out via $oif setup keep-state $cmd 00431 allow udp from any to any 70 out via $oif keep-state ######## inbound section ############################################ # Interrogate packets originating from in front of the firewall, public net. # Place statements here to allow public requests for service. # Allow in www #$cmd 00600 allow tcp from any to any 80 in via $oif setup keep-state limit src-addr 4 # Allow TCP FTP control channel in & data channel out #$cmd 00610 allow tcp from any to me 21 in via $oif setup keep-state limit src-addr 4 #$cmd 00611 allow tcp from any 20 to any 1024-49151 out via $oif setup keep limit src-addr 4 # Allow in ssh function #$cmd 00620 allow log tcp from any to me 22 in via $oif setup keep-state limit src-addr 4 # Allow in Telnet #$cmd 00630 allow tcp from any to me 23 in via $oif setup keep-state limit src-addr 4 # Allow in Ping from me #$cmd 00635 allow log icmp from any to me icmptype 0,8 in via $oif ######## catch all section ############################################ # Stop & log external redirect requests. $cmd 00720 deny log icmp from any to any icmptype 5 in via $oif # Stop & log spoofing Attack attempts. # Examine incoming traffic for packets with both a source and destination # IP address in my local domain as per CIAC prevention alert. $cmd 00730 deny log ip from me to me in via $oif # Stop & log ping echo attacks # stop echo reply (ICMP type 0), and echo request (type 8). $cmd 00740 deny log icmp from any to me icmptype 0,8 in via $oif # Reject & Log all setup of tcp incoming connections from the outside $cmd 00750 deny log tcp from any to any setup in via $oif # Reject & Log all netbios service. 137=name, 138=datagram, 139=session # netbios is ms/windows sharing services. $cmd 00760 deny log tcp from any to any 137,138,139 in via $oif $cmd 00761 deny log udp from any to any 137,138,139 in via $oif # Reject all port 80 http packets that fall through to here. # These packets are auto spawn web page requests from within # original web page request. $cmd 00770 deny tcp from any to any 80 out via $oif # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 00950 deny log logamount 500 all from any to any Mvh Mattias Björk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020721193153.A5921>