Date: Sun, 23 Oct 2005 20:01:55 -0400 From: Daemon <daemon@foxchat.net> To: freebsd-ipfw@freebsd.org Subject: Re: ipfw firewall help Message-ID: <435C2473.3070408@foxchat.net> In-Reply-To: <5.1.0.14.2.20051023110150.020a7b80@209.152.117.178> References: <4358899F.1090505@roamingsolutions.net> <435849B9.8040509@foxchat.net> <4358899F.1090505@roamingsolutions.net> <5.1.0.14.2.20051023110150.020a7b80@209.152.117.178>
next in thread | previous in thread | raw e-mail | index | archive | help
W. D. wrote:
> At 09:36 10/21/2005, Daemon, wrote:
>
>>Great!. Thanks. One possibly stupid question. What is the "Deny
>>Spoof"? Is that like;
>># Stop spoofing of your internal network range
>># ${fwcmd} add deny ip from ${iif} to any in via ${oif}
>># Stop spoofing from inside your private ip range
>># ${fwcmd} add deny ip from not ${iif} to any in via ${iif}
>
>
>
> Hey Daemon,
>
> Your rules snippet looks great! I really like the way you
> have commented the lines. When you have debugged your
> firewall, would you please post the entire set here? That way,
> newbies can understand better how the firewall works. I
> haven't seen too many examples like this.
>
> Thanks!
>
> Start Here to Find It Fast!™ -> http://www.US-Webmasters.com/best-start-page/
> $8.77 Domain Names -> http://domains.us-webmasters.com/
>
>
Sorry, I had to go out of town on Friday and just got back. This is
what I have so far, however I can't seem to figure out the correct
syntax for my rule #20000 for the rule Graham posted before.
His rule was;
5000 nat all from any to any out via $oif
Once I figure out the correct syntax, I'll be able to incorporate the
rule set that Graham provided with some modifications. Right now it
doesn't work correctly. Other than rule #20000, if there are any other
rules that aren't correct or can be more streamlined, I'd welcome and
appreciate any input/advice. By the way, thanks again Graham for the help.
############
nip="24.172.X.XX/30" # ${nip}
oip="24.172.X.XX" # ${oip} Static IP
oif="re0" # ${oif} Public interface name of nic
# card facing the public Internet
iif="re1" # ${iif} Internal nic.
iip="172.16.140.0/24" # ${iip} Internal Subnet.
############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
# Setup Lookback (not sure if these are in the
# correct place).
${fwcmd} add 10 pass all from any to any via lo0
${fwcmd} add 20 deny all from any to 127.0.0.0/8
${fwcmd} add 30 deny all from 127.0.0.0/8 to any
#-------------------------------------------------------------
# Stop spoofing of your internal network range and
# spoofing from inside your private ip range.
${fwcmd} add 40 deny ip from any to any not antispoof in
#-------------------------------------------------------------
# Natd rules. See Rule 300
${fwcmd} add 50 allow all from any to any via ${iif}
${fwcmd} add 60 divert natd all from any to any in via ${oif}
#-------------------------------------------------------------
# Traffic Shaping for the internal network.
${fwcmd} add 70 pipe 1 all from ${iip} to any xmit ${oif}
${fwcmd} pipe 1 config mask src-ip 0xffffff00 bw 35Kbits/s queue 40Kbytes
${fwcmd} add 80 pipe 2 all from any to ${iip} recv ${oif}
${fwcmd} pipe 2 config mask dst-ip 0xffffff00 bw 4000Kbits/s queue 40Kbytes
${fwcmd} add 90 allow all from any to me in via ${oif}
#-------------------------------------------------------------
# Allow interal network in/out via the outside nic.
${fwcmd} add 100 allow all from any to ${iip} in via ${oif}
${fwcmd} add 200 allow all from me to any out via ${oif}
#-------------------------------------------------------------
# See Rule 20000
${fwcmd} add 300 skipto 20000 all from ${iip} to any out via ${oif}
#-------------------------------------------------------------
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
${fwcmd} add 400 deny { tcp or udp } from any to any 137,138,139,445,1080
${fwcmd} add 500 deny { tcp or udp } from any to any
1243,6776,8998,12345,31337
${fwcmd} add 600 deny icmp from any to me in icmptype 5,9,13,14,15,16,17
${fwcmd} add 700 deny icmp from any to any iplen 92
#-------------------------------------------------------------
# Block malicious connects to ssh, ftp, mail(pop/smtp/imap), and identd.
${fwcmd} add 800 deny all from "table(2,0)" to me 20-25,110,113,143
${fwcmd} add 900 deny all from "table(3,0)" to me 20-25,110,113,143
# Block malicious conects to web server ports.
${fwcmd} add 1000 deny all from "table(4,0)" to me 80,443
#-------------------------------------------------------------
# Deny any late arriving packets
${fwcmd} add 2000 deny all from any to any frag in via ${oif}
#-------------------------------------------------------------
# 5000 nat all from any to any out via $oif
# ^^^ Rule provided by Graham.
${fwcmd} add 20000 divert natd ip from any to any out via $oif
${fwcmd} add 65000 allow all from any to any out
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?435C2473.3070408>