Date: Tue, 23 Jun 2009 05:44:03 +0300 From: Anton <anton@sng.by> To: freebsd-questions@freebsd.org Cc: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl> Subject: Need somw further help on ipfw rules Message-ID: <1203880385.20090623054403@sng.by>
next in thread | raw e-mail | index | archive | help
Hello freebsd-questions, Finally, I ve got to work my ipfw firewall with two NATs (one for= local resources, provided by ISP, one for VPN - which leads me to Internet= ). But I need further help on it :-( Here is my rules: #!/bin/sh ipfw=3D'/sbin/ipfw -q' mynet=3D'192.168.0.0/24' myprefix=3D'192.168.0.' adsl_out=3D'xl0' vpn_out=3D'ng0' if_loc=3D'rl0' gw_loc=3D'10.30.100.5' route1=3D'81.25.32.5/32' route2=3D'81.25.32.6/32' route3=3D'81.25.32.13/32' route4=3D'81.25.32.15/32' route5=3D'81.25.32.25/32' route6=3D'81.25.32.34/32' route7=3D'81.25.32.30/32' route8=3D'81.25.32.67/32' route9=3D'81.25.32.48/32' route10=3D'81.25.32.40/32' route11=3D'81.25.32.68/32' route12=3D'81.25.32.69/32' route13=3D'81.25.32.70/32' route14=3D'81.25.32.71/32' route15=3D'81.25.32.81/32' route16=3D'81.25.32.82/32' route17=3D'81.25.32.96/32' route18=3D'72.167.232.126/32' route19=3D'81.25.32.97/32' route20=3D'81.25.34.96/28' ${ipfw} -f flush ${ipfw} table 12 flush ${ipfw} -f pipe flush ${ipfw} -f queue flush ${ipfw} pipe 1 config bw 40Kbyte/s queue 50 ${ipfw} pipe 2 config bw 15Kbyte/s queue 50 #Filling IPFW free-res table ${ipfw} table 12 add ${route1} ${ipfw} table 12 add ${route2} ${ipfw} table 12 add ${route3} ${ipfw} table 12 add ${route4} ${ipfw} table 12 add ${route5} ${ipfw} table 12 add ${route6} ${ipfw} table 12 add ${route7} ${ipfw} table 12 add ${route8} ${ipfw} table 12 add ${route9} ${ipfw} table 12 add ${route10} ${ipfw} table 12 add ${route11} ${ipfw} table 12 add ${route12} ${ipfw} table 12 add ${route13} ${ipfw} table 12 add ${route14} ${ipfw} table 12 add ${route15} ${ipfw} table 12 add ${route16} ${ipfw} table 12 add ${route17} ${ipfw} table 12 add ${route18} ${ipfw} table 12 add ${route19} ${ipfw} table 12 add ${route20} # ICMP ${ipfw} add 1 deny icmp from any to any frag ${ipfw} add 2 deny icmp from any to any in via ${adsl_out} icmptype 5,9,= 13,14,15,16,17 ${ipfw} add 2 deny icmp from any to any in via ${vpn_out} icmptype 5,9,1= 3,14,15,16,17 ${ipfw} add 3 check-state ${ipfw} add 4 allow all from any to any via lo0 ${ipfw} add 4 allow all from any to any via ${if_loc} # Allowing myself everuthin ${ipfw} add 5 allow all from me to any keep-state #Free res ${ipfw} add 6 divert 8667 ip from table\(12\) to any in via ${adsl_out}<= /p> ${ipfw} add 7 divert 8667 ip from any to table\(12\) out via ${adsl_out}= ${ipfw} add 8 allow all from ${mynet} to table\(12\) out via ${adsl_out}= ${ipfw} add 9 allow all from table\(12\) to ${mynet} in via ${adsl_out}<= /p> #NAT to Internet ${ipfw} add 10 divert 8668 ip from any to any in via ${vpn_out} ${ipfw} add 11 divert 8668 ip from any to not table\(12\) out via ${vpn_= out} # Deny access to unrouteable networks ${ipfw} add 12 reject all from any to 10.0.0.0/8 in via ${vpn_out} ${ipfw} add 13 reject all from any to 172.16.0.0/12 in via ${adsl_out} ${ipfw} add 14 reject all from any to 172.16.0.0/12 in via ${vpn_out} ${ipfw} add 15 reject all from any to 0.0.0.0/8 in via ${adsl_out} ${ipfw} add 16 reject all from any to 0.0.0.0/8 in via ${vpn_out} ${ipfw} add 17 reject all from any to 169.254.0.0/16 in via ${adsl_out}<= /p> ${ipfw} add 18 reject all from any to 169.254.0.0/16 in via ${vpn_out} # Multicast ${ipfw} add 19 reject all from any to 224.0.0.0/4 in via ${adsl_out} ${ipfw} add 20 reject all from any to 224.0.0.0/4 in via ${vpn_out} ${ipfw} add 21 reject all from any to 240.0.0.0/4 in via ${adsl_out} ${ipfw} add 22 reject all from any to 240.0.0.0/4 in via ${vpn_out} # Deny access from unrouteable networks ${ipfw} add 23 reject all from 10.0.0.0/8 to any in via ${vpn_out} ${ipfw} add 24 reject all from 172.16.0.0/12 to any in via ${adsl_out} ${ipfw} add 25 reject all from 172.16.0.0/12 to any in via ${vpn_out} ${ipfw} add 26 reject all from 0.0.0.0/8 to any in via ${adsl_out} ${ipfw} add 27 reject all from 0.0.0.0/8 to any in via ${vpn_out} ${ipfw} add 28 reject all from 169.254.0.0/16 to any in via ${adsl_out}<= /p> ${ipfw} add 29 reject all from 169.254.0.0/16 to any in via ${vpn_out} # Multicast ${ipfw} add 30 reject all from 224.0.0.0/4 to any in via ${adsl_out} ${ipfw} add 31 reject all from 224.0.0.0/4 to any in via ${vpn_out} ${ipfw} add 32 reject all from 240.0.0.0/4 to any in via ${adsl_out} ${ipfw} add 33 reject all from 240.0.0.0/4 to any in via ${vpn_out} #Sasser&Netbios ${ipfw} add 34 reject tcp from any to any 137-139,445,1022,1023 ${ipfw} add 35 reject tcp from any 137-139,445,1022,1023 to any ${ipfw} add 36 reject udp from any to any 137-139,445,1022,1023 ${ipfw} add 37 reject udp from any 137-139,445,1022,1023 to any #Other Defence ${ipfw} add 38 reject tcp from any to any not established tcpflags fin ${ipfw} add 39 reject tcp from any to any tcpflags fin, syn, rst, psh, a= ck, urg ${ipfw} add 40 reject tcp from any to any tcpflags !fin, !syn, !rst, !ps= h, !ack, !urg ${ipfw} add 41 deny log ip from any to any not verrevpath in ${ipfw} add 42 deny tcp from any to any 20-23,1900,2869,3389,5900 in via= ${adsl_out} ${ipfw} add 43 deny tcp from any to any 20-23,1900,2869,3389,5900 in via= ${vpn_out} ${ipfw} add 44 deny udp from any to any 1900,2869 in via ${adsl_out} ${ipfw} add 45 deny udp from any to any 1900,2869 in via ${vpn_out} #Hosts with evereday acces ${ipfw} add 80 pipe 2 all from ${myprefix}50 to any out via ${vpn_out} ${ipfw} add 81 pipe 1 all from any to ${myprefix}50 in via ${vpn_out} ${ipfw} add 82 allow all from ${myprefix}50 to any out via ${vpn_out} ${ipfw} add 83 allow all from any to ${myprefix}50 in via ${vpn_out} ${ipfw} add 84 allow all from ${myprefix}51 to any out via ${vpn_out} ${ipfw} add 85 allow all from any to ${myprefix}51 out via ${vpn_out} ${ipfw} add 86 pipe 2 all from ${myprefix}52 to any out via ${vpn_out} ${ipfw} add 87 pipe 1 all from any to ${myprefix}52 out via ${vpn_out} ${ipfw} add 88 allow all from ${myprefix}52 to any out via ${vpn_out} ${ipfw} add 89 allow all from any to ${myprefix}52 out via ${vpn_out} ${ipfw} add 90 allow all from ${myprefix}70 to any out via ${vpn_out} ${ipfw} add 91 allow all from any to ${myprefix}70 out via ${vpn_out} ${ipfw} add 92 allow all from ${myprefix}71 to any out via ${vpn_out} ${ipfw} add 93 allow all from any to ${myprefix}71 out via ${vpn_out} ${ipfw} add 94 allow all from ${myprefix}250 to any out via ${vpn_out} ${ipfw} add 95 allow all from any to ${myprefix}250 out via ${vpn_out} ${ipfw} add 27199 allow all from me to any ${ipfw} add 27200 deny log logamount 50000 all from any to any echo "Loaded" I still could not get two things: 1) Why, if there is no rule 27199 - I have n= o acces to Internet from IP 192.168.0.50. Also, if I delete rule 83 - ident= ically, I have no access to Internet (it is after VPN), but I have access t= o local resources 2) I need to organize everyday access for al= l hosts in my network by ports 27015-27050 TCP and UDP (it is Steam & C= ounter-Strike) Adding the rules like this: allow tcp from ${mynet} to any 27015-27050 o= ut via ${vpn_out}, allow tcp from any 27015-27050 to ${mynet} in via ${vpn_= out} & allow udp from ${mynet} to any 27015-27050 out via ${vpn_out}, a= llow udp from any 27015-27050 to ${mynet} in via ${vpn_out} - doesnot helps= at all. -- -- Best regards, Anton = ; [1]mailto:anton@sng.by Administrator Feel free to contact me via ICQ 363780596 via Skype dobryak47 via phone +375 29 3320987 References 1. 3D"mailto:anton@sng.by"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1203880385.20090623054403>