Date: Tue, 23 Jun 2009 05:44:03 +0300 From: Anton <anton@sng.by> To: freebsd-questions@freebsd.org Cc: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl> Subject: Need somw further help on ipfw rules Message-ID: <1203880385.20090623054403@sng.by>
next in thread | raw e-mail | index | archive | help
Hello freebsd-questions,
Finally, I ve got to work my ipfw firewall with two NATs (one for=
local resources, provided by ISP, one for VPN - which leads me to
Internet= ).
But I need further help on it :-(
Here is my rules:
#!/bin/sh
ipfw=3D'/sbin/ipfw -q'
mynet=3D'192.168.0.0/24'
myprefix=3D'192.168.0.'
adsl_out=3D'xl0'
vpn_out=3D'ng0'
if_loc=3D'rl0'
gw_loc=3D'10.30.100.5'
route1=3D'81.25.32.5/32'
route2=3D'81.25.32.6/32'
route3=3D'81.25.32.13/32'
route4=3D'81.25.32.15/32'
route5=3D'81.25.32.25/32'
route6=3D'81.25.32.34/32'
route7=3D'81.25.32.30/32'
route8=3D'81.25.32.67/32'
route9=3D'81.25.32.48/32'
route10=3D'81.25.32.40/32'
route11=3D'81.25.32.68/32'
route12=3D'81.25.32.69/32'
route13=3D'81.25.32.70/32'
route14=3D'81.25.32.71/32'
route15=3D'81.25.32.81/32'
route16=3D'81.25.32.82/32'
route17=3D'81.25.32.96/32'
route18=3D'72.167.232.126/32'
route19=3D'81.25.32.97/32'
route20=3D'81.25.34.96/28'
${ipfw} -f flush
${ipfw} table 12 flush
${ipfw} -f pipe flush
${ipfw} -f queue flush
${ipfw} pipe 1 config bw 40Kbyte/s queue 50
${ipfw} pipe 2 config bw 15Kbyte/s queue 50
#Filling IPFW free-res table
${ipfw} table 12 add ${route1}
${ipfw} table 12 add ${route2}
${ipfw} table 12 add ${route3}
${ipfw} table 12 add ${route4}
${ipfw} table 12 add ${route5}
${ipfw} table 12 add ${route6}
${ipfw} table 12 add ${route7}
${ipfw} table 12 add ${route8}
${ipfw} table 12 add ${route9}
${ipfw} table 12 add ${route10}
${ipfw} table 12 add ${route11}
${ipfw} table 12 add ${route12}
${ipfw} table 12 add ${route13}
${ipfw} table 12 add ${route14}
${ipfw} table 12 add ${route15}
${ipfw} table 12 add ${route16}
${ipfw} table 12 add ${route17}
${ipfw} table 12 add ${route18}
${ipfw} table 12 add ${route19}
${ipfw} table 12 add ${route20}
# ICMP
${ipfw} add 1 deny icmp from any to any frag
${ipfw} add 2 deny icmp from any to any in via ${adsl_out} icmptype
5,9,= 13,14,15,16,17
${ipfw} add 2 deny icmp from any to any in via ${vpn_out} icmptype
5,9,1= 3,14,15,16,17
${ipfw} add 3 check-state
${ipfw} add 4 allow all from any to any via lo0
${ipfw} add 4 allow all from any to any via ${if_loc}
# Allowing myself everuthin
${ipfw} add 5 allow all from me to any keep-state
#Free res
${ipfw} add 6 divert 8667 ip from table\(12\) to any in via
${adsl_out}<= /p>
${ipfw} add 7 divert 8667 ip from any to table\(12\) out via
${adsl_out}=
${ipfw} add 8 allow all from ${mynet} to table\(12\) out via
${adsl_out}=
${ipfw} add 9 allow all from table\(12\) to ${mynet} in via
${adsl_out}<= /p>
#NAT to Internet
${ipfw} add 10 divert 8668 ip from any to any in via ${vpn_out}
${ipfw} add 11 divert 8668 ip from any to not table\(12\) out via
${vpn_= out}
# Deny access to unrouteable networks
${ipfw} add 12 reject all from any to 10.0.0.0/8 in via ${vpn_out}
${ipfw} add 13 reject all from any to 172.16.0.0/12 in via ${adsl_out}
${ipfw} add 14 reject all from any to 172.16.0.0/12 in via ${vpn_out}
${ipfw} add 15 reject all from any to 0.0.0.0/8 in via ${adsl_out}
${ipfw} add 16 reject all from any to 0.0.0.0/8 in via ${vpn_out}
${ipfw} add 17 reject all from any to 169.254.0.0/16 in via
${adsl_out}<= /p>
${ipfw} add 18 reject all from any to 169.254.0.0/16 in via ${vpn_out}
# Multicast
${ipfw} add 19 reject all from any to 224.0.0.0/4 in via ${adsl_out}
${ipfw} add 20 reject all from any to 224.0.0.0/4 in via ${vpn_out}
${ipfw} add 21 reject all from any to 240.0.0.0/4 in via ${adsl_out}
${ipfw} add 22 reject all from any to 240.0.0.0/4 in via ${vpn_out}
# Deny access from unrouteable networks
${ipfw} add 23 reject all from 10.0.0.0/8 to any in via ${vpn_out}
${ipfw} add 24 reject all from 172.16.0.0/12 to any in via ${adsl_out}
${ipfw} add 25 reject all from 172.16.0.0/12 to any in via ${vpn_out}
${ipfw} add 26 reject all from 0.0.0.0/8 to any in via ${adsl_out}
${ipfw} add 27 reject all from 0.0.0.0/8 to any in via ${vpn_out}
${ipfw} add 28 reject all from 169.254.0.0/16 to any in via
${adsl_out}<= /p>
${ipfw} add 29 reject all from 169.254.0.0/16 to any in via ${vpn_out}
# Multicast
${ipfw} add 30 reject all from 224.0.0.0/4 to any in via ${adsl_out}
${ipfw} add 31 reject all from 224.0.0.0/4 to any in via ${vpn_out}
${ipfw} add 32 reject all from 240.0.0.0/4 to any in via ${adsl_out}
${ipfw} add 33 reject all from 240.0.0.0/4 to any in via ${vpn_out}
#Sasser&Netbios
${ipfw} add 34 reject tcp from any to any 137-139,445,1022,1023
${ipfw} add 35 reject tcp from any 137-139,445,1022,1023 to any
${ipfw} add 36 reject udp from any to any 137-139,445,1022,1023
${ipfw} add 37 reject udp from any 137-139,445,1022,1023 to any
#Other Defence
${ipfw} add 38 reject tcp from any to any not established tcpflags fin
${ipfw} add 39 reject tcp from any to any tcpflags fin, syn, rst, psh,
a= ck, urg
${ipfw} add 40 reject tcp from any to any tcpflags !fin, !syn, !rst,
!ps= h, !ack, !urg
${ipfw} add 41 deny log ip from any to any not verrevpath in
${ipfw} add 42 deny tcp from any to any 20-23,1900,2869,3389,5900 in
via= ${adsl_out}
${ipfw} add 43 deny tcp from any to any 20-23,1900,2869,3389,5900 in
via= ${vpn_out}
${ipfw} add 44 deny udp from any to any 1900,2869 in via ${adsl_out}
${ipfw} add 45 deny udp from any to any 1900,2869 in via ${vpn_out}
#Hosts with evereday acces
${ipfw} add 80 pipe 2 all from ${myprefix}50 to any out via ${vpn_out}
${ipfw} add 81 pipe 1 all from any to ${myprefix}50 in via ${vpn_out}
${ipfw} add 82 allow all from ${myprefix}50 to any out via ${vpn_out}
${ipfw} add 83 allow all from any to ${myprefix}50 in via ${vpn_out}
${ipfw} add 84 allow all from ${myprefix}51 to any out via ${vpn_out}
${ipfw} add 85 allow all from any to ${myprefix}51 out via ${vpn_out}
${ipfw} add 86 pipe 2 all from ${myprefix}52 to any out via ${vpn_out}
${ipfw} add 87 pipe 1 all from any to ${myprefix}52 out via ${vpn_out}
${ipfw} add 88 allow all from ${myprefix}52 to any out via ${vpn_out}
${ipfw} add 89 allow all from any to ${myprefix}52 out via ${vpn_out}
${ipfw} add 90 allow all from ${myprefix}70 to any out via ${vpn_out}
${ipfw} add 91 allow all from any to ${myprefix}70 out via ${vpn_out}
${ipfw} add 92 allow all from ${myprefix}71 to any out via ${vpn_out}
${ipfw} add 93 allow all from any to ${myprefix}71 out via ${vpn_out}
${ipfw} add 94 allow all from ${myprefix}250 to any out via ${vpn_out}
${ipfw} add 95 allow all from any to ${myprefix}250 out via ${vpn_out}
${ipfw} add 27199 allow all from me to any
${ipfw} add 27200 deny log logamount 50000 all from any to any
echo "Loaded"
I still could not get two things:
1) Why, if there is no rule 27199 - I have n= o acces to
Internet from IP 192.168.0.50. Also, if I delete rule 83 - ident=
ically, I have no access to Internet (it is after VPN), but I have
access t= o local resources
2) I need to organize everyday access for al= l hosts in my
network by ports 27015-27050 TCP and UDP (it is Steam & C=
ounter-Strike)
Adding the rules like this: allow tcp from ${mynet} to any 27015-27050
o= ut via ${vpn_out}, allow tcp from any 27015-27050 to ${mynet} in
via ${vpn_= out} & allow udp from ${mynet} to any 27015-27050 out via
${vpn_out}, a= llow udp from any 27015-27050 to ${mynet} in via
${vpn_out} - doesnot helps= at all.
--
--
Best regards,
Anton = ; [1]mailto:anton@sng.by
Administrator
Feel free to contact me
via ICQ 363780596
via Skype dobryak47
via phone +375 29 3320987
References
1. 3D"mailto:anton@sng.by"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1203880385.20090623054403>