From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 06:30:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 121C016A4CE for ; Wed, 21 Jan 2004 06:30:59 -0800 (PST) Received: from mail002.syd.optusnet.com.au (mail002.syd.optusnet.com.au [211.29.132.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id B306C43D2D for ; Wed, 21 Jan 2004 06:30:55 -0800 (PST) (envelope-from tfrank@optushome.com.au) Received: from marvin.home.local (c211-28-241-189.eburwd5.vic.optusnet.com.au [211.28.241.189])i0LEUmV04315; Thu, 22 Jan 2004 01:30:50 +1100 Received: by marvin.home.local (Postfix, from userid 1001) id CF8CB30C; Thu, 22 Jan 2004 01:30:48 +1100 (EST) Date: Thu, 22 Jan 2004 01:30:48 +1100 From: Tony Frank To: Marc Silver Message-ID: <20040121143048.GA62883@marvin.home.local> References: <20040121132610.GX70495@draenor.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040121132610.GX70495@draenor.org> User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@freebsd.org Subject: Re: dialup firewalling X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 14:30:59 -0000 Hi Marc, On Wed, Jan 21, 2004 at 01:26:10PM +0000, Marc Silver wrote: > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > # Divert all packets through the tunnel interface. > $fwcmd add divert natd all from any to any via tun0 For dialup using user-ppp I prefer to use the ppp built-in nat functionality. You also probably want some rules upfront for loopback, although the 'me to any' likely covers it: >From /etc/rc.firewall: ${fwcmd} add 100 allow all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > # Allow all connections that we initiate, and keep their state, > # but deny established connections that don't have a dynamic rule. > $fwcmd add check-state > $fwcmd add allow ip from me to any keep-state > $fwcmd add deny tcp from any to any established > # Allow internet users to connect to the port 22 and 80 on my machine. > # This example specifically allows connections to the sshd and a > # webserver. > $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state Looks ok. > # Allow ICMP packets: remove type 8 if you don't want your host > # to be pingable. > $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 I personally have never seen a use for 13 & 14 (timestamp) so would block these also. Hope it helps, Tony