From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 22:28:41 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F6D816A41F for ; Mon, 2 Jan 2006 22:28:41 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E0A443D91 for ; Mon, 2 Jan 2006 22:28:19 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id C06A251001; Mon, 2 Jan 2006 23:10:36 +0100 (CET) Received: from (165.146.229.241 [165.146.229.241]) by MailEnable Inbound Mail Agent with ESMTP; Mon, 02 Jan 2006 23:36:53 +0100 Message-ID: <43B9A9AB.20001@roamingsolutions.net> Date: Tue, 03 Jan 2006 00:31:07 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dennis Olvany References: <43B875FD.6000102@gmail.com> <43B8CC58.9020906@roamingsolutions.net> <43B8D510.2010908@gmail.com> <43B8EF40.7020508@roamingsolutions.net> <43B97627.5020501@gmail.com> In-Reply-To: <43B97627.5020501@gmail.com> Content-Type: multipart/mixed; boundary="------------050109090305010106090803" X-Antivirus: avast! (VPS 0601-0, 2006/01/02), Outbound message X-Antivirus-Status: Clean X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: route selection and ipfw forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 22:28:41 -0000 This is a multi-part message in MIME format. --------------050109090305010106090803 Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Dennis Olvany wrote: What does your setup look like? Don't have a setup, yet. In lieu of such complexity, I may abandon the notion. ################ Start of IPFW rules file ############################### ################ End of IPFW rules file ############################### That ruleset is seriously complex and it's especially difficult to decipher in script form. Any idea of the possibility of doing a reverse proxy-only lsnat? Here is a very simple version of the rules with no internal (LAN) servers, no proxy and no bandwidth management. Hope this is more understandable. Regards, Gray --------------050109090305010106090803 Content-Type: text/plain; name="ipfw_simple.ruleset" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw_simple.ruleset" #!/bin/sh ################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush ipfw -q add 10 allow tcp from any to me 22 in ipfw -q add 12 allow tcp from me 22 to any out # Set rules command prefix cmd="ipfw -q add" bwm="ipfw -q pipe" skip="skipto 8000" ext_if1="rl0" # public interface name of NIC ext_if2="rl0" int_if="vr0" # private interface name of NIC ext_ip1="196.yy.yy.yy" ext_ip2="196.xx.xx.xx" ext_gw1="196.yy.yy.1" ext_gw2="196.xx.xx.1" lan="192.168.1.0/24" # Setup the different Sets to be used for different connection options ipfw -q set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 # Initially only enable set 1 and 2 and 10 when we have 2 WAN links ipfw -q set enable 1 2 10 ################################################################# # Deny spoofed packets $cmd 100 deny ip from any to any not antispoof in ################################################################# # No restrictions on Loopback Interface # Protect spoofing to localhost $cmd allow ip from any to any via lo0 $cmd deny ip from any to 127.0.0.0/8 $cmd deny ip from 127.0.0.0/8 to any ################################################################ # Allow the rest of the LAN traffic in and out $cmd allow ip from any to any via $int_if ################################################################# # Incoming traffic from internet - jump to incoming section $cmd skipto 4000 ip from any to me in ################################################################# # Interface facing Public Internet (Outbound Section) ################################################################# #Deny outgoing windows connections (and whatever else you want to deny) $cmd deny tcp from $lan to any 137,445 out $cmd deny tcp from $lan 137,445 to any out # Allow the rest out $cmd $skip ip from $lan to any out # Allow connections from me back out $cmd $skip ip from me to any out $cmd deny log ip from any to any out ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # NAT inbound traffic $cmd 4000 divert natd1 ip from any to $ext_ip1 in $cmd 4000 divert natd2 ip from any to $ext_ip2 in # Deny all inbound traffic from non-routable reserved address spaces #$cmd 300 deny all from 192.168.0.0/16 to any in via $ext_if1 #RFC 1918 private IP $cmd deny all from 172.16.0.0/12,10.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3 to any in #RFC 1918 private IP #RFC 1918 private IP #DHCP auto-config #reserved for docs #Sun cluster #Class D & E multicast # Deny ident # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd deny all from any to any 113,137,138,139,81 in # Allow the rest of the traffic to the lan in $cmd allow ip from any to $lan in # Allow the rest of the traffic to me in $cmd allow ip from any to me in # Deny the rest to me $cmd deny log ip from any to any in ############################################################### # This is skipto location for outbound (stateful) rules $cmd 8000 skipto 9000 tcp from any to any out setup $cmd 8030 skipto 9000 udp from any to any out $cmd 8040 skipto 9000 icmp from any to any out $cmd 8050 skipto 8600 tcp from $ext_ip1,$ext_ip2 22 to any out $cmd 8100 tee natd2 ip from any to any out $cmd 8200 skipto 8400 ip from $ext_ip2 to any out $cmd 8300 divert natd1 ip from any to any out $cmd 8400 check-state $cmd 8600 fwd $ext_gw1 tcp from $ext_ip1 22 to any out $cmd 8600 fwd $ext_gw2 tcp from $ext_ip2 22 to any out $cmd 8700 deny ip from any to any out # skipto location for new outgoing connections $cmd 9000 skipto 9500 tcp from 192.168.1.3 to any 25,110 out $cmd 9000 skipto 9200 tcp from any to any 443,1863 out $cmd 9000 skipto 9200 udp from any to any 80,443,1024-65535 out $cmd 9000 skipto 9200 udp from any 80,443,1024-65535 to any out $cmd 9000 set 10 skipto 9200 ip from any to any out $cmd 9000 set 12 prob 0.2 skipto 9500 ip from any to any out $cmd 9000 set 13 prob 0.3 skipto 9500 ip from any to any out $cmd 9000 set 14 prob 0.4 skipto 9500 ip from any to any out $cmd 9000 set 15 prob 0.5 skipto 9500 ip from any to any out $cmd 9000 set 16 prob 0.6 skipto 9500 ip from any to any out $cmd 9000 set 17 prob 0.7 skipto 9500 ip from any to any out $cmd 9000 set 18 prob 0.8 skipto 9500 ip from any to any out $cmd 9000 set 20 skipto 9500 ip from any to any out $cmd 9200 set 1 divert natd1 ip from any to any out $cmd 9300 set 1 fwd $ext_gw1 ip from any to any out keep-state $cmd 9500 set 2 divert natd2 ip from any to any out $cmd 9600 set 2 fwd $ext_gw2 ip from any to any out keep-state # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 9999 deny log all from any to any ipfw -q delete 10 ipfw -q delete 12 ################ End of IPFW rules file ############################### --------------050109090305010106090803--