Date: Sun, 19 Oct 2003 18:23:59 +0100 From: "chris scott" <chris.scott@uk.tiscali.com> To: "Dan" <dan@ntlbusiness.com>, "Barney Wolff" <barney@databus.com> Cc: freebsd-net@freebsd.org Subject: Re: IPFW. Message-ID: <02d601c39665$c8f664c0$c4102c0a@viper> References: <200310191532.40136.dan@ntlbusiness.com><200310191704.42446.dan@ntlbusiness.com><20031019161948.GB46989@pit.databus.com> <200310191721.06509.dan@ntlbusiness.com>
next in thread | previous in thread | raw e-mail | index | archive | help
here is a simple firewall that should do what you need and be statefull
they key thing to remember is not to add any stateful stuff ( keep-state
rules ) before the divert rule
for natd as it really screws things up. Note i have put in a fairly open
static rule for ssh before the divert rule, you may want to tighten this,
along with changing the internal network ranges and interfaces. The reasn
for the statc ssh rule is to safegard against the case where natd dies. If
it does you are totally locked out of the box due to all the traffic
disappearing into the divert rule, not good. Hope this helps some.
#!/usr/local/bin/bash
fwcmd="/sbin/ipfw "
${fwcmd} -q flush
extif="tuno"
intif="xl0"
intnet="192.168.0.0/24"
# speedup for rule processing
${fwcmd} add skipto 20000 all from any to any via ${intif}
${fwcmd} add skipto 30000 all from any to any via lo0
# lets give ssh a bit more protection
${fwcmd} add allow tcp from any 22 to any out via ${extif}
${fwcmd} add allow tcp from any to any 22 in via ${extif}
# stop priv networks being spoofed
${fwcmd} add deny all from any to 172.16.0.0/12 in via ${extif}
${fwcmd} add deny all from any to 10.0.0.0/8 in via ${extif}
${fwcmd} add deny all from any to 192.168.0.0/16 in via ${extif}
# let natd do its biz
${fwcmd} add divert natd all from any to any via ${extif}
# let connections out
${fwcmd} add allow tcp from any to any out via ${extif} keep-state
${fwcmd} add allow udp from any to any out via ${extif} keep-state
${fwcmd} add allow icmp from any to any out via ${extif} keep-state
# let priv networks thru now we are nated
${fwcmd} add allow all from any to 172.16.0.0/12 in via ${extif}
${fwcmd} add allow all from any to 10.0.0.0/8 in via ${extif}
${fwcmd} add allow all from any to 192.168.0.0/16 in via ${extif}
# and bog off to the rest of you
${fwcmd} add deny log all from any to any via ${extif}
############################################################################
######
# lock down internal interface, also acts as a 2nd pass firewall for nated
traffic
############################################################################
######
${fwcmd} add 20000 tcp from ${intnet} 22 to ${intnet} out via ${intif}
${fwcmd} add allow tcp from ${intnet} to ${intnet} 22 in via ${intif}
${fwcmd} add allow tcp from ${intnet} to any keep-state in via ${intif}
${fwcmd} add allow udp from ${intnet} to any keep-state in via ${intif}
${fwcmd} add allow icmp from ${intnet} to any keep-state in via ${intif}
${fwcmd} add deny all from any to any via ${intif}
${fwcmd} add 30000 allow ip from any to any via lo0
~
----- Original Message -----
From: "Dan" <dan@ntlbusiness.com>
To: "Barney Wolff" <barney@databus.com>
Cc: <freebsd-net@freebsd.org>
Sent: Sunday, October 19, 2003 5:21 PM
Subject: Re: IPFW.
> On Sunday 19 October 2003 5:19 pm, you wrote:
> > First, as somebody else suggested, either use numbers on every rule
> > or none at all. Second, you want to keep-state only on setup, not
> > on every tcp packet going in either direction, as that will be wide
> > open. Third, you don't seem to have any rule allowing udp, so dns
> > lookups are not likely to work. Fourth, did you actually put the
> > rules into effect? If so, you should see entries in the logs when
> > packets are denied. Fifth, the rule with 192.168 in it will never
> > fire, as the address will have been translated by natd before it
> > gets there.
> >
> > Doing ipfw list will show you the rules that exist, and ipfw -atde list
> > will show you which rules have matched and when.
>
> Hmm .. Ok thanks again for your reply.
> I probably understood 5% of that though ;)
> I will go and search on google for some of the pointers you've given me ..
but
> I am finding this really hard..it took me absolutely ages just to get that
> far.
>
> Once again thanks for your help!
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02d601c39665$c8f664c0$c4102c0a>