Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Mar 2003 11:14:25 -0500
From:      Jeff Walters <jeff@walters.name>
To:        "Brian Henning" <b1henning@hotmail.com>
Cc:        <freebsd-questions@FreeBSD.ORG>
Subject:   Re: firewall revisited
Message-ID:  <200303051114.25796.jeff@walters.name>
In-Reply-To: <OE14i67EKRuYDlrjbud000010a0@hotmail.com>
References:  <OE14i67EKRuYDlrjbud000010a0@hotmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
> how can i have the script /etc/ipfw.rules run instead of /etc/rc.firewall.
> can i change
> firewall_type="OPEN" to firewall_type="" and create the entry
> firewall_script="/etc/ipfw.rules"?

I have that working right now with:

firewall_enable="YES"
firewall_script="/etc/rc.firewall.local"

... where /etc/rc.firewall.local contains the customized ipfw commands.

> what i would like to do is block all access to services on the router like
> httpd, sshd, etc
> the other think i would like to do is port forward ssh from another machine
> and allow access of that from an external network.
> does something like this make sense?
> thanks,

If you are using NAT then the -redirect_port option to natd will do that (ie. 
forward incoming port 22 connections to an internal machine), which can be 
set in /etc/rc.conf in the natd_flags="-redirect_port ..." variable.  You 
have to create a corresponding ipfw rule to allow the traffic after natd 
rewrites the destination IP to your internal LAN machine, which it looks like 
you have done below, except the "from" would be "any" not "ROUTER_IP".  It 
will be the IP of the outside machine trying to connect to port 22.

I have a similar port forward set up.  Early in the firewall rules allow all 
established TCP connections, and then later allow the setup for the initial 
SSH connection.  10.0.1.2 would be a machine behind the firewall to receive 
SSH connections, and ed0 would be the external internet interface.

in /etc/rc.conf:
natd_flags="-redirect_port tcp 10.0.1.2:ssh ssh"

in the firewall script:
ipfw -q flush
ipfw add 00050 divert natd ip from any to any via ed0
ipfw add 00100 allow tcp from any to any via ed0 established
<more rules here>
ipfw add 01000 allow tcp from any to 10.0.1.2 ssh setup
<more rules here>
ipfw add 65530 deny log ip from any to any

I winged this so forgive any errors, but it's based on what I have working, 
including a rule to deny and log everything by default at the bottom.

> /etc/rc.firewall.rules
> ----------------------
> #!/bin/sh
> IPFW=/sbin/ipfw
> ${IPFW} -f flush
> ${IPFW} add 00200 divert natd all from any to any via rl1
> ${IPFW} add 00250 pass tcp from ${ROUTER_IP} to ${MACHINE1_IP} 22
> ${IPFW} add 00260 pass tcp from ${MACHINE1_IP} 22 to ${ROUTER_IP}
> ${IPFW} add 00300 pass all from any to any



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303051114.25796.jeff>