Date: Wed, 28 Apr 1999 19:36:10 -0500 From: Guy Helmer <ghelmer@scl.ameslab.gov> To: Christoff Snijders <hjcs@home.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: ipfw rules Message-ID: <Pine.SGI.4.10.9904281932230.4039-100000@demios.scl.ameslab.gov> In-Reply-To: <3727A604.55A107A@home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 Apr 1999, Christoff Snijders wrote:
> I have a very simple setup: one FreeBSD 2.2.5-RELEASE box with two
> Ethernet cards in it. One card is connected to a cable modem with a
> static IP address, the other is connected to a hub, which is in turn
> connected to several computers on an internal network.
>
> If I remove all the ipfw rules and allow access from anything to
> anything, with traffic diverted through natd on port 6668, all the
> machines on the network can access the net, but the firewall is useless
> (non-existant).
>
> If I use the standard, simple rules in rc.firewall, the console user can
> access the Internet, but none of the users on the internal network can.
> ...
> # set these to your outside interface network and netmask and ip
> oif="ed2"
> ...
> # divert traffic to natd (I added this)
> /sbin/ipfw add divert natd all from any to any via ed2
Hmm, isn't there a divert rule at the beginning of /etc/rc.firewall?
> ...
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
I've replaced those three rules with these six rules on my 2.2.8 firewall:
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any in via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 out via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any in via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 out via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any in via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 out via ${oif}
Hope this helps,
Guy
Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science
Research Assistant, Ames Laboratory --- ghelmer@scl.ameslab.gov
Research Assistant, Dept. of Computer Science --- ghelmer@cs.iastate.edu
http://www.cs.iastate.edu/~ghelmer
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SGI.4.10.9904281932230.4039-100000>