Date: Thu, 22 Jan 2004 08:30:14 -0000 From: Thomas Wolf <tw@wsf.at> To: Marc Silver <marcs@draenor.org>, Thomas Wolf <tw@wsf.at> Cc: freebsd-ipfw@freebsd.org Subject: Re: dialup firewalling Message-ID: <20040122093014.1hbffi6ifnoks@.mailhost.wsf.at>
next in thread | raw e-mail | index | archive | help
Marc Silver <marcs@draenor.org> schrieb: > Hi guys, > > Thanks very much. You have all been fantastic, and a great help to me. > I've revised the document to use PPP NAT, and amended the ruleset as > below: > > # Define the firewall command (as in /etc/rc.firewall) for easy > # reference. Helps to make it easier to read. > fwcmd="/sbin/ipfw" > > # Define our outside interface. With userland-ppp this > # defaults to tun0. > oif="tun0" Assuming that you are building a gateway for your lan, you will need some rules for your internal interface too, so: iif="fxp0" # whatever your internal if is ... > > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > # Allow all connections that we initiate, and keep their state, > # but deny established connections that don't have a dynamic rule. > $fwcmd add check-state Suggestion - Stop spoofing on your outside interface: $fwcmd add deny ip from any to any in via $oif not verrevpath > $fwcmd add allow ip from me to any out via $oif keep-state > $fwcmd add deny tcp from any to any established in via $oif > Somewhere, you have to allow the traffic lan -> wan to enter your gateway: $fwcmd add allow ip from any to not me in via $iif (if you allow your lan to access all services on your gateway, you could also do: $fwcmd add allow ip from any to any via $iif) allowing traffic via lo0 as Tony suggested is also a good idea.. $fwcmd add allow all from any to any via lo0 $fwcmd add deny all from any to 127.0.0.0/8 $fwcmd add deny ip from 127.0.0.0/8 to any > # Allow internet users to connect to the port 22 and 80. > # This example specifically allows connections to the sshd and a > # webserver. > $fwcmd add allow tcp from any to me dst-port 22,80 in via $oif setup keep-state If you do not have the 'any to any via $iif' - rule, you should specify the services on the gateway allowed for the lan: $fwcmd add allow tcp from any to me dst-port 22,80 in via $iif setup keep-state > > # Allow ICMP packets: remove type 8 if you don't want your host > # to be pingable. > $fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12 > > # Deny and log all the rest. > $fwcmd add deny log ip from any to any Personally, I prefer to 'reset' or 'unreach' instead of 'deny' but that's a matter of personal taste. I suggest to reset at least incoming packets to port 113, avoiding delays when accessing your mailserver. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040122093014.1hbffi6ifnoks>