From owner-freebsd-hackers@FreeBSD.ORG Fri Aug 29 03:03:39 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A20016A4C0 for ; Fri, 29 Aug 2003 03:03:39 -0700 (PDT) Received: from cicero1.cybercity.dk (cicero1.cybercity.dk [212.242.40.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBA6143FEA for ; Fri, 29 Aug 2003 03:03:37 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user1.cybercity.dk (fxp0.user1.ip.cybercity.dk [212.242.41.34]) by cicero1.cybercity.dk (Postfix) with ESMTP id DBDA87E3195 for ; Fri, 29 Aug 2003 12:03:35 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user1.cybercity.dk (Postfix) with SMTP id DB95D68B2C for ; Fri, 29 Aug 2003 12:03:34 +0200 (CEST) Date: Fri, 29 Aug 2003 12:04:16 +0200 From: Socketd To: hackers@freebsd.org Message-Id: <20030829120416.37759de2.db@traceroute.dk> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: ipfw newbie X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2003 10:03:39 -0000 Hi I am setting up a gateway for a friend and he want it to firewall and traffic shape. The network: Router (running NAT and PPP) |(192.168.1.1) |(no ip) Gateway (FreeBSD 5.1, ipfw + dummynet and DHCP to the LAN) |(192.168.2.1 to the LAN and 192.168.3.1 to the DMZ) |\ | \ | DMZ(192.168.3.0/24) LAN (192.168.2.0/24) I have been asking around wether I should NAT the DMZ. People had different opinions on that and I chose to NAT it. Now what I want is: Allow all traffic _from_ LAN and DMZ and out. Also allow all traffic between the two. DMZ traffic should have 100 times the weight of LAN traffic. So I was thinking if this maybe right? (I can't test the firewall before returning it, so the configuration have to be correct): //Give DMZ 100 times more weight than LAN pipe 10 config bw 512Kbit/s pipe 20 config bw 2Mbit/s add pipe 10 ip from any to any out add pipe 20 ip from any to any in queue 100 config pipe 10 weight 100 queue 200 config pipe 20 weight 100 queue 300 config pipe 10 weight 1 queue 400 config pipe 20 weight 1 //rl1 is the NIC to the router (rl0 = LAN, de0 = DMZ) add queue 100 ip from 192.168.3.0/24 to any out via rl1 add queue 200 ip from any to 192.168.3.0/24 in via rl1 add queue 300 ip from 192.168.2.0/24 to any out via rl1 add queue 400 ip from any to 192.168.2.0/24 in via rl1 //Allow all traffic _from_ LAN and DMZ add allow all from 192.168.0.0/255.255.0.0 to any //Here I will specify what traffic to allow to the DMZ //And I want this at the end: deny all from any to any And then set net.inet.ip.fw.one_pass: 0 Is this about right? And is it "normal" to place the firewalling rules after the pipes? Hope someone will help. br socketd ps: I think "lockdown" will be ready for wide testing by next weekend!