Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 21 Jan 2004 15:23:43 -0000
From:      Thomas Wolf <>
To:        Marc Silver <>,
Subject:   Re: dialup firewalling
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

Marc Silver <> schrieb:

> Hi guys and gals,
> The short story:  I wrote an article a while back about dialup
> firewalling with FreeBSD, and after an update was made to the article a
> few months back by another individual it's been slightly broken.
> I am currently working on fixing this document and get it more up to
> date, and was hoping to run the following ruleset past all of you.  The
> problem is mostly that I no longer have a dialup connection to test with
> this, so I was hoping to ask opinions on whether or not the following
> rulebase would work:
> # Force a flushing of the current rules before we reload.
> $fwcmd -f flush
> # Divert all packets through the tunnel interface.
> $fwcmd add divert natd all from any to any via tun0
> # Allow all connections that we initiate, and keep their state,
> # but deny established connections that don't have a dynamic rule.
> $fwcmd add check-state
> $fwcmd add allow ip from me to any keep-state
> $fwcmd add deny tcp from any to any established
> # Allow internet users to connect to the port 22 and 80 on my machine.
> # This example specifically allows connections to the sshd and a
> # webserver.
> $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state
> # Allow ICMP packets: remove type 8 if you don't want your host
> # to be pingable.
> $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
> # Deny and log everything else.
> $fwcmd add deny log ip from any to any
> Now, if my knowledge of ipfw2 is correct, this should allow everything
> out, and should only allow port 22 and 80 in.  It'll also allow ICMP.
> Simple enough, but am I correct in my assumptions?

No, it will not work. keep-state rules and natd are difficult to handle.
In your setup, traffic from a box in your lan ($lanclientip) with a 
destination on the internet ($targetip), going via your gateway
($gatewayip) will be handled like this:

original packet: $lanclientip -> $targetip

on leaving the gateway, packets are going through the divert rule,
now the packet has $gatewayip -> $targetip. The keep-state rule
now creates a temporary rule for '$gatewayip <-> $targetip' and allows
the packet out.

The response from $targetip gets 'natted first so when it reaches
the check-state rule, it already has $targetip -> $lanclientip and
will not match the temporary rule.


Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4

Want to link to this message? Use this URL: <>