Date: Fri, 6 Jul 2001 09:51:54 +0200 From: "Patrick O'Reilly" <patrick@mip.co.za> To: "FreeBSD IPFW List" <freebsd-ipfw@freebsd.org>, "Robert Banniza" <robert@rootprompt.net> Subject: RE: Still can't get it to work... Message-ID: <NDBBIMKICMDGDMNOOCAIOEKLCOAA.patrick@mip.co.za> In-Reply-To: <GMEDKMKMEBENJMBLDHAIGEFJEAAA.robert@rootprompt.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert,
I have a tripple-homed firewall running fine on BSD. The rules are fairly
simple. They are included below.
These rules allow SSH support from outside. This is how I get to the
servers for the customer, but you might not need the same. The DMZ has one
server at present which runs mail, ftp and web. The rules are set
accordingly. You should be able to use these rules, and just make some mods
for yourself.
I have not done anything about the RFC1918 addresses specifically, but that
should be easy to do.
Here's the rc.firewall script:
############
#!/usr/local/bin/bash
# Perimeter
# Patrick O'Reilly - 17/06/2001
sleep 3
fwcmd="/sbin/ipfw -q"
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
############
# Create a temporary rule to keep things running
#
${fwcmd} add 00001 allow ip from any to any
############
# Network Address Translation. All packets are passed to natd(8)
# before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
#
# xl0 is the NIC facing the internet
${fwcmd} add 00100 divert natd ip from any to any via xl0
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 01000 allow ip from any to any via lo0
${fwcmd} add 01001 deny log ip from any to 127.0.0.0/8
${fwcmd} add 01010 allow icmp from any to any
# I intensely dislike Netbios!
${fwcmd} add 01100 deny log udp from any to any 137,138,139 via xl0
${fwcmd} add 01120 allow udp from any to any 53
${fwcmd} add 01120 allow udp from any 53 to any
# ${fwcmd} add 01130 allow udp from any to any
############
# Preliminary setup
#
${fwcmd} add 02000 allow tcp from any to any established
# Enable Patrick to login for support
${fwcmd} add 03000 allow tcp from #Patrick's IP# to #firewall internet ip#
22 setup
${fwcmd} add 03000 allow tcp from #Patrick's IP# to #mail server ip#
22 setup
# Allow pretty much anything to be set up going outward
${fwcmd} add 04000 allow tcp from #firewall internet ip# to any setup
${fwcmd} add 04000 allow tcp from #DMZ IP/Subnet# to any setup
${fwcmd} add 04000 allow tcp from 192.168.1.0/24 to any setup
############
# Access to the FTP server
#
# At present this is for use by business partners only
${fwcmd} add 05000 allow tcp from #known external ip# to #ftp server ip#
${fwcmd} add 05000 allow tcp from #ftp server ip# to #known external
ip#
# Use these rules if you want to run a public FTP server
# ${fwcmd} add 05010 allow tcp from any to #ftp server ip# 21
# ${fwcmd} add 05010 allow tcp from #ftp server ip# 20 to any
############
# Access to the WEB server
#
${fwcmd} add 06000 allow tcp from any to #web server ip# 80,443
############
# Access to the MAIL server
#
${fwcmd} add 07000 allow tcp from any to #mail server ip# 25
${fwcmd} add 07100 allow tcp from 192.168.1.0/24 to #mail server ip# 110
# This is so that staff can POP their email from home!
# I hate having holes like this open, but if the customer wants it ...
${fwcmd} add 07200 allow tcp from any to #mail server ip# 110
# I manually insert this rule ahead of 65535 so that I can
# log what gets denied
${fwcmd} add 65530 deny log ip from any to any
############
# Delete the temporary rule
#
${fwcmd} delete 00001
############
End of rc.firewall script.
I hope this helps,
Regards,
Patrick O'Reilly.
-----------------
A little knowledge is dangerous...
FEAR ME!
-----Original Message-----
From: owner-freebsd-ipfw@FreeBSD.ORG
[mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Robert Banniza
Sent: 06 July 2001 06:56
To: freebsd-ipfw@FreeBSD.ORG
Subject: Still can't get it to work...
I cannot for the absolute life of me get IPFW to work with three NICS. All I
want to do is to:
1) Pass all traffic from internal network (192.168.1.0/24) to go out to 'net
or to the DMZ.
2) Allow 22,25,53(udp),80,443 traffic in to the DMZ. DMZ is using real IP
addresses (208.53.161.252/30)
3) Allow no traffic from DMZ to flow back into internal network.
3) Block external interface from RFC1918 spoofed addresses
My network is broken up into the following segments:
xl0 - external interface (208.53.161.248/30)
fxp0 - internal interface (192.168.1.0/24)
fxp1 - optional interface (208.53.161.252/30)
I'm using default deny which I feel is safest and compensates for human
error more so than default allow.
I have looked on the web for a DMZ HOWTO and can't find one. Would any of
you have rules that do this? I'm about ready to say fuck it and stick with
the Firebox. Guys, I certainly would appreciate any help with rules on this.
I'm tired of fighting with this thing.
Robert
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIOEKLCOAA.patrick>