Date: Thu, 27 Feb 1997 09:31:35 -0800 (PST) From: "Jonathan M. Bresler" <jmb> To: brandon@cold.org (Brandon Gillespie) Cc: freebsd-questions@freebsd.org Subject: Re: ipfw rules problems (NOT operator?) Message-ID: <199702271731.JAA08518@freefall.freebsd.org> In-Reply-To: <Pine.NEB.3.95.970227090145.5190A-100000@cold.org> from "Brandon Gillespie" at Feb 27, 97 09:05:59 am
next in thread | previous in thread | raw e-mail | index | archive | help
Brandon Gillespie wrote:
>
> > then write those rules and do not write an "allow all from
> > ${onet}:${omask} to any" rule.
> >
> > how about telling us what effect you want? for instance
> > allow telnet from the inside to ___, but no incoming telnet
> > connections. allow pasv ftp. dont allow any icmp. etc...
>
> I did :b But I'll do again:
>
> Cleanwall Firewall
> : |
> Internet => : => Localnet => | => Securenet
> : 206.81.134.0 | 192.168.1.0
> : |
>
> I want the Firewall (FreeBSD) to _only_ allow telnet, dns and lp/lpr
> (npp?) from the outside in--furthermore I want it to ONLY allow tcp
> packets from 206.81.134.0. Same goes for the inside out, except for with
ahh....i'm sorry, i missed the list (telnet dns lp).
must be getting old ;) the 6 rules below should allow
telnet, dns, and lpr from the Localnet to the Securenet
(and allow teh Securenet to respond to the Localnet)
# the next 6 rules handle connections from Localnet -> Securenet
# allow telnet from Localnet to Securenet (incl. connection setup)
# and allow the Securenet to respond to telnet packets from Localnet
ipfw add allow tcp from 206.81.134/24 to 192.168.1/24 telnet
ipfw add allow tcp from 192.168.1/24 telnet to 206.81.134/24 established
# allow lpr from Localnet to Securenet
# and allow Securenet to rspond to lpr requests from Localnet
ipfw add allow ip from 206.81.134/24 to 192.168.1/24 printer
ipfw add allow ip from 192.168.1/24 printer to 206.81.134/24
# allow dns queries from Localnet to Securenet
# and allow Securenet to rspond to dns queries from Localnet
ipfw add allow ip from 206.81.134/24 to 192.168.1/24 domain
ipfw add allow ip form 192.168.1/24 domain to 206.81.134/24
# the next 6 rules handle connection from Securenet to Localnet
ipfw add allow tcp from 192.168.1/24 to 206.81.134/24 telnet
ipfw add allow tcp from 206.81.134/24 telnet to 192.168.1/24 established
ipfw add allow ip from 192.168.1/24 to 206.81.134/24 printer
ipfw add allow ip from 206.81.134/24 printer to 192.168.1/24
ipfw add allow ip from 192.168.1/24 to 206.81.134/24 domain
ipfw add allow ip from 206.81.134/24 domain to 192.168.1/24
you said above "furthermore I want it to ONLY allow tcp
packets from 206.81.134.0."
is this *in*addition*to* telnet dns and lpr?
or a restriction upon dns and lpr (either do/can use udp
in additional to tcp)
# allow ONLY tcp packets, all tcp packets from Localnet to Securenet
ipfw add allow tcp from 206.81.134/24 to 192.168.1/24
ipfw add allow tcp from 192.168.1/24 to 206.81.134/24
is you use the 2 rules above you can get rid of the rules
with "tcp" and "telnet" in them, these two are a superset
you can add "via" to these rules to harden them if you wish.
jmb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702271731.JAA08518>