Date: Thu, 01 Nov 2007 02:46:47 +0100 From: deeptech71@gmail.com To: freebsd-questions@freebsd.org Subject: Please check my IPFW ruleset Message-ID: <47293007.3090404@gmail.com>
next in thread | raw e-mail | index | archive | help
I'm making some ipfw rules, and I would appreciate if someone could
check these for me.
My intention is to create a replacement for a hardware router, which
basically works by allowing all outbound traffic, blocking all
unauthorized/unrequested inbound traffic, and has a setting (the so
called DMZ) to redirect all the unauthorized/unrequested packets to a
local computer. Plus I want to add something like remote telnet/ssh
capabilities to override the DMZ.
::::::::::::::::::::| ipfw.rules |::::::::::::::::::::
#!/bin/sh
dns="195.228.240.249,195.228.242.180"
lan="192.168.123.0/24"
ext="tun0"
int="rl0"
ipfw="ipfw -q"
add="$ipfw add"
allow="$add allow"
block="$add deny"
nat="$add divert natd"
check="$add check-state"
pipe="$add pipe"
fa="from any"
ta="to any"
fata="$fa $ta"
reserved="192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3"
########################################
$ipfw -f flush
$allow all $fata via lo0
$allow all $fata via $int
##### INBOUND #####
$block all $fa to $reserved in via $ext # ISP fuckup?
$nat all $fata in via $ext
$check
$block all $fata frag in via $ext
$block tcp $fata established in via $ext
$block all from $reserved in via $ext
# :: DEFINE SOME INBOUND SERVICES HERE ::
#$allow tcp $fa to me 80 in via $ext setup limit src-addr 4
#$allow tcp $fa to me 22 in via $ext setup limit src-addr 4
#$allow tcp $fa to me 23 in via $ext setup limit src-addr 4
$block all $fata in via $ext
##### OUTBOUND #####
# :: DEFINE SOME RESTRICTIONS HERE ? ::
$nat tcp $fata out via $ext setup keep-state
$nat all $fata out via $ext keep-state
$allow all $fata out via $ext
$block $fata
::::::::::::::::::::| eof ipfw.rules |::::::::::::::::::::
OK, questions...
# ISP fuckup? - does it make sense to defend against my ISP hacking me?
What does "divert natd" actually do? Does it only change the IP header?
Can I move the three lines
$block all $fata frag in via $ext
$block tcp $fata established in via $ext
$block all from $reserved in via $ext
to ahead of
$nat all $fata in via $ext ?
I'm curious about this one:
$nat tcp $fata out via $ext setup keep-state
$nat all $fata out via $ext keep-state
$allow all $fata out via $ext
For an outbound packet, rules should be keep-state, divert, allow, in
this order, as far as I know. What about these lines?
Uhm, ed0 is my network card doing PPPoE. How do I allow it to do PPPoE
traffic only?
Did I miss anything?
Some other IPFW questions:
deny ip == deny all?
Why do I have to write "from any to any" all the time, when it just
means "independently of source and destination"? Why can't I write just
"drop all"?
Thank you very very much in advance :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47293007.3090404>