Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 29 Aug 2003 12:04:16 +0200
From:      Socketd <db@traceroute.dk>
To:        hackers@freebsd.org
Subject:   ipfw newbie
Message-ID:  <20030829120416.37759de2.db@traceroute.dk>

next in thread | raw e-mail | index | archive | help
Hi

I am setting up a gateway for a friend and he want it to firewall and
traffic shape.

The network:
Router (running NAT and PPP)
 |(192.168.1.1)
 |(no ip)
Gateway (FreeBSD 5.1, ipfw + dummynet and DHCP to the LAN)
 |(192.168.2.1 to the LAN and 192.168.3.1 to the DMZ)
 |\
 | \
 |  DMZ(192.168.3.0/24)
LAN (192.168.2.0/24)

I have been asking around wether I should NAT the DMZ. People had
different opinions on that and I chose to NAT it.
Now what I want is:

Allow all traffic _from_ LAN and DMZ and out. Also allow all traffic
between the two.

DMZ traffic should have 100 times the weight of LAN traffic.

So I was thinking if this maybe right? (I can't test the firewall before
returning it, so the configuration have to be correct):

//Give DMZ 100 times more weight than LAN
pipe 10 config bw 512Kbit/s
pipe 20 config bw 2Mbit/s

add pipe 10 ip from any to any out
add pipe 20 ip from any to any in

queue 100 config pipe 10 weight 100
queue 200 config pipe 20 weight 100
queue 300 config pipe 10 weight 1
queue 400 config pipe 20 weight 1

//rl1 is the NIC to the router (rl0 = LAN, de0 = DMZ)
add queue 100 ip from 192.168.3.0/24 to any out via rl1	
add queue 200 ip from any to 192.168.3.0/24 in via rl1
add queue 300 ip from 192.168.2.0/24 to any out via rl1
add queue 400 ip from any to 192.168.2.0/24 in via rl1

//Allow all traffic _from_ LAN and DMZ
add allow all from 192.168.0.0/255.255.0.0 to any

//Here I will specify what traffic to allow to the DMZ

//And I want this at the end:
deny all from any to any

And then set net.inet.ip.fw.one_pass: 0

Is this about right? And is it "normal" to place the firewalling rules
after the pipes?

Hope someone will help.

br
socketd

ps: I think "lockdown" will be ready for wide testing by next weekend!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030829120416.37759de2.db>