Date: Mon, 1 Sep 2003 13:24:30 +0200 (CEST) From: "Arvinn" <arvinn@sandakeronline.com> To: freebsd-questions@freebsd.org Subject: ipfw with four interfaces Message-ID: <4438.212.71.64.140.1062415470.squirrel@webmail.sandakeronline.com>
next in thread | raw e-mail | index | archive | help
This FreeBSD 4.x with ipfw1 have four interfaces:
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet w.x.y.81 netmask 0xfffffff0 broadcast w.x.y.95
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
xl2 is the interface that is connected back-to-back with the router.
As you can see, hosts on xl0 and xl1 need to get translated in order to
get on the Internet. The dmz is for a few web-servers, a mailserver and a
vpn-gateway I will be setting up later. I have a hard time getting this
design to actually work with deny ip from any to any in the bottom of the
ruleset.
I thought my tcp/ip skills were proper but after I started dealing with
this I feel like a complete noob.
Here are the rules I haave written so far:
# more fwrules
fwcmd="/sbin/ipfw"
extif="xl2"
dmzif="fxp0"
lanif="xl0"
motorif="xl1"
$fwcmd -f flush
###
$fwcmd add 100 allow all from any to any via lo0
$fwcmd add 200 deny all from any to 127.0.0.0/8
$fwcmd add 300 deny ip from 127.0.0.0/8 to any
$fwcmd add 500 deny tcp from any to any in via any tcpflags syn,fin
$fwcmd add 600 deny ip from any to any in via any frag
###
$fwcmd add 900 allow tcp from an.outside.net.work to me ssh in via $extif
# This one passes packets to natd. If I knew how to divert only rfc1918
addresses are passed to natd I would do that.
# In the meantine I have configured natd with the unregistered-flag.
$fwcmd add 950 divert natd all from any to any via $extif
# Allow http to the whole dmz from Internet:
$fwcmd add 1000 allow tcp from any to w.x.y.80/28 http via $extif
# Allow smtp and pop3 to the mailserver from Internet:
$fwcmd add 1050 allow tcp from any to w.x.y.84 smtp,pop3 via $extif
#
# With the following rules I want to allow all traffic between my own
segments:
$fwcmd add 1200 allow ip from any to any via $dmzif
$fwcmd add 1250 allow ip from any to any via $lanif
$fwcmd add 1300 allow ip from any to any via $motorif
# Allow all traffic out to Internett:
$fwcmd add 2000 allow ip from any to any out via $extif
# Allow all icmp for testing purposes until I get the firewll rules working:
$fwcmd add 3000 allow icmp from any to any via any
# Blocking ports out to Internet that I don't like:
$fwcmd add 1300 deny tcp from any to any 135-139 out via $extif
$fwcmd add 1350 deny tcp from any to any 445 out via $extif
###
# Blocking everything else:
$fwcmd add 65000 deny ip from any to any
#
When I load these rules it looks like "nothing" but icmp works. The
computers on the the rfc1918 addresses can't speak tcp (and probably udp
as well) and the computers on the dmz can neither. I feel I don't
understand this properly. There must be some basic errors with my ruleset.
Will it help me to put in this at the top?:
$fwcmd add 50 check-state
..and then use keep-state on all my allow rules?
Can someone please:
I would be greatful for all kind of answers.
Arvinn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4438.212.71.64.140.1062415470.squirrel>