From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 13 19:42:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0026E16A4CE for ; Sun, 13 Jun 2004 19:42:12 +0000 (GMT) Received: from regulus.redepegasus.com.br (redepegasus.com.br [200.195.61.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F48E43D54 for ; Sun, 13 Jun 2004 19:42:11 +0000 (GMT) (envelope-from jb@redepegasus.com.br) Received: from localhost (localhost.redepegasus.com.br [127.0.0.1]) by regulus.redepegasus.com.br (Postfix) with ESMTP id 04CC81722C for ; Sun, 13 Jun 2004 16:42:27 -0300 (BRT) Received: from regulus.redepegasus.com.br ([127.0.0.1])port 10024) with ESMTP id 06455-07 for ; Sun, 13 Jun 2004 16:42:26 -0300 (BRT) Received: by regulus.redepegasus.com.br (Postfix, from userid 85) id 7107C172C4; Sun, 13 Jun 2004 16:42:26 -0300 (BRT) Received: from zetabootis (zeta-bootis.redepegasus.com.br [200.195.61.253]) by regulus.redepegasus.com.br (Postfix) with ESMTP id D3EBA172C0 for ; Sun, 13 Jun 2004 16:42:25 -0300 (BRT) Message-ID: <013901c4517e$72f3dc90$fd3dc3c8@redepegasus.com.br> From: =?iso-8859-1?Q?Juli=E3o_Braga_-_Rede_Pegasus=AE?= To: References: Date: Sun, 13 Jun 2004 16:41:40 -0300 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on regulus.redepegasus.com.br X-Sanitizer: Advosys mail filter MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: Re: ipfw + natd + stateful rules. For the archives X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2004 19:42:13 -0000 And about the anti-spoofing rule using "verrevpath"? The man rule that "... drops all incoming packets that appear to be coming to the system on the wrong interface. For example, packet with a source address belonging to a host on a protected internal network would be dropped if it tried to enter the system from an external interface." : ipfw add deny ip from any to any not verrevpath in Don't is necessary? JB Pegasus Network Brazil > > Here is the /etc/ipfw.rules file with comments. > > #!/bin/sh > > ################ Start of IPFW rules file > ############################### > # Flush out the list before we begin. > ipfw -q -f flush > > # Set rules command prefix > cmd="ipfw -q add" > skip="skipto 800" > pif="rl0" # public interface name of Nic card > # facing the public internet > > > > ################################################################# > # No restrictions on Inside Lan Interface for private network > # Not needed unless you have Lan. > # Change xl0 to your Lan Nic card interface name > ################################################################# > $cmd 005 allow all from any to any via xl0 > > ################################################################# > # No restrictions on Loopback Interface > ################################################################# > $cmd 010 allow all from any to any via lo0 > > $cmd 014 divert natd ip from any to any in via $pif > > ################################################################# > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by an allow keep-state statement. > ################################################################# > $cmd 015 check-state > > ################################################################# > # Interface facing Public internet (Outbound Section) > # Interrogate session start requests originating from behind the > # firewall on the private network or from this gateway server > # destine for the public internet. > ################################################################# > > # Allow out access to my ISP's Domain name server. > # x.x.x.x must be the IP address of your ISP's DNS > # Dup these lines if your ISP has more than one DNS server > # Get the IP addresses from /etc/resolv.conf file > $cmd 020 $skip tcp from any to xx.168.240.2 53 out via $pif setup > keep-state > $cmd 021 $skip udp from any to xx.168.240.2 53 out via $pif > keep-state > > # Allow out access to my ISP's DHCP server for cable/DSL > configurations. > $cmd 030 $skip udp from any to xx.70.207.54 67 out via $pif > keep-state > > # Allow out non-secure standard www function > $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state > > # Allow out secure www function https over TLS SSL > $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state > > # Allow out send & get email function > $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state > $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state > > # Allow out FBSD (make install & CVSUP) functions > # Basically give user root "GOD" privileges. > $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid > root > > # Allow out ping > $cmd 080 $skip icmp from any to any out via $pif > > # Allow out Time > $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state > > # Allow out nntp news (IE: news groups) > $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state > > # Allow out secure FTP, Telnet, and SCP > # This function is using SSH (secure shell) > $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state > > # Allow out whois > $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state > > # Allow ntp time server > $cmd 130 $skip udp from any to any 123 out via $pif keep-state > > ################################################################# > # Interface facing Public internet (Inbound Section) > # Interrogate packets originating from the public internet > # destine for this gateway server or the private network. > ################################################################# > > # Deny all inbound traffic from non-routable reserved address spaces > $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 > private IP > $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 > private IP > $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 > private IP > $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback > $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback > $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP > auto-config > $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved > for doc's > $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun > cluster interconnect > $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D > & E multicast > > # Deny ident > $cmd 315 deny tcp from any to any 113 in via $pif > > # Deny all Netbios service. 137=name, 138=datagram, 139=session > # Netbios is MS/Windows sharing services. > # Block MS/Windows hosts2 name server requests 81 > $cmd 320 deny tcp from any to any 137 in via $pif > $cmd 321 deny tcp from any to any 138 in via $pif > $cmd 322 deny tcp from any to any 139 in via $pif > $cmd 323 deny tcp from any to any 81 in via $pif > > # Deny any late arriving packets > $cmd 330 deny all from any to any frag in via $pif > > # Deny ACK packets that did not match the dynamic rule table > $cmd 332 deny tcp from any to any established in via $pif > > # Allow traffic in from ISP's DHCP server. This rule must contain > # the IP address of your ISP's DHCP server as it's the only > # authorized source to send this packet type. > # Only necessary for cable or DSL configurations. > # This rule is not needed for 'user ppp' type connection to > # the public internet. This is the same IP address you captured > # and used in the outbound section. > $cmd 360 allow udp from xx.70.207.54 to any 68 in via $pif > keep-state > > # Allow in standard www function because I have apache server > $cmd 370 allow tcp from any to me 80 in via $pif setup limit > src-addr 2 > > # Allow in secure FTP, Telnet, and SCP from public Internet > $cmd 380 allow tcp from any to me 22 in via $pif setup limit > src-addr 2 > > # Allow in non-secure Telnet session from public Internet > # labeled non-secure because ID & PW are passed over public > # internet as clear text. > # Delete this sample group if you do not have telnet server enabled. > $cmd 390 allow tcp from any to me 23 in via $pif setup limit > src-addr 2 > > # Allow in secure FTP, Telnet, and SCP from public Internet > $cmd 380 allow tcp from any to me 22 in via $pif setup limit > src-addr 2 > > # Allow in icmp responces > $cmd 390 allow icmp from any to any icmptypes 0,3,11,12 in via $pif > > # Reject & Log all unauthorized incoming connections from the public > internet > $cmd 400 deny log all from any to any in via $pif > > # Reject & Log all unauthorized out going connections to the public > internet > $cmd 450 deny log all from any to any out via $pif > > # This is skipto location for outbound stateful rules > $cmd 800 divert natd ip from any to any out via $pif > $cmd 801 allow ip from any to any > > # Everything else is denied by default > # deny and log all packets that fell through to see what they are > $cmd 999 deny log all from any to any > > > > ################ End of IPFW rules file > ############################### --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.701 / Virus Database: 458 - Release Date: 6/7/2004