Re: IPFW.

• Previous message: Dan: "Re: IPFW."
• In reply to: Dan: "Re: IPFW."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: "Dan" <dan@ntlbusiness.com>, "Barney Wolff" <barney@databus.com>
Date: Sun, 19 Oct 2003 18:23:59 +0100

here is a simple firewall that should do what you need and be statefull
they key thing to remember is not to add any stateful stuff ( keep-state
rules ) before the divert rule
for natd as it really screws things up. Note i have put in a fairly open
static rule for ssh before the divert rule, you may want to tighten this,
along with changing the internal network ranges and interfaces. The reasn
for the statc ssh rule is to safegard against the case where natd dies. If
it does you are totally locked out of the box due to all the traffic
disappearing into the divert rule, not good. Hope this helps some.

#!/usr/local/bin/bash
fwcmd="/sbin/ipfw "
${fwcmd} -q flush

extif="tuno"
intif="xl0"
intnet="192.168.0.0/24"

# speedup for rule processing
${fwcmd} add skipto 20000 all from any to any via ${intif}
${fwcmd} add skipto 30000 all from any to any via lo0

# lets give ssh a bit more protection

${fwcmd} add allow tcp from any 22 to any out via ${extif}
${fwcmd} add allow tcp from any to any 22 in via ${extif}

# stop priv networks being spoofed
${fwcmd} add deny all from any to 172.16.0.0/12 in via ${extif}
${fwcmd} add deny all from any to 10.0.0.0/8 in via ${extif}
${fwcmd} add deny all from any to 192.168.0.0/16 in via ${extif}

# let natd do its biz
${fwcmd} add divert natd all from any to any via ${extif}

# let connections out
${fwcmd} add allow tcp from any to any out via ${extif} keep-state
${fwcmd} add allow udp from any to any out via ${extif} keep-state
${fwcmd} add allow icmp from any to any out via ${extif} keep-state

# let priv networks thru now we are nated
${fwcmd} add allow all from any to 172.16.0.0/12 in via ${extif}
${fwcmd} add allow all from any to 10.0.0.0/8 in via ${extif}
${fwcmd} add allow all from any to 192.168.0.0/16 in via ${extif}

# and bog off to the rest of you
${fwcmd} add deny log all from any to any via ${extif}

############################################################################
######
# lock down internal interface, also acts as a 2nd pass firewall for nated
traffic
############################################################################
######

${fwcmd} add 20000 tcp from ${intnet} 22 to ${intnet} out via ${intif}
${fwcmd} add allow tcp from ${intnet} to ${intnet} 22 in via ${intif}
${fwcmd} add allow tcp from ${intnet} to any keep-state in via ${intif}
${fwcmd} add allow udp from ${intnet} to any keep-state in via ${intif}
${fwcmd} add allow icmp from ${intnet} to any keep-state in via ${intif}
${fwcmd} add deny all from any to any via ${intif}

${fwcmd} add 30000 allow ip from any to any via lo0

~

----- Original Message -----
From: "Dan" <dan@ntlbusiness.com>
To: "Barney Wolff" <barney@databus.com>
Cc: <freebsd-net@freebsd.org>
Sent: Sunday, October 19, 2003 5:21 PM
Subject: Re: IPFW.

> On Sunday 19 October 2003 5:19 pm, you wrote:
> > First, as somebody else suggested, either use numbers on every rule
> > or none at all. Second, you want to keep-state only on setup, not
> > on every tcp packet going in either direction, as that will be wide
> > open. Third, you don't seem to have any rule allowing udp, so dns
> > lookups are not likely to work. Fourth, did you actually put the
> > rules into effect? If so, you should see entries in the logs when
> > packets are denied. Fifth, the rule with 192.168 in it will never
> > fire, as the address will have been translated by natd before it
> > gets there.
> >
> > Doing ipfw list will show you the rules that exist, and ipfw -atde list
> > will show you which rules have matched and when.
>
> Hmm .. Ok thanks again for your reply.
> I probably understood 5% of that though ;)
> I will go and search on google for some of the pointers you've given me ..
but
> I am finding this really hard..it took me absolutely ages just to get that
> far.
>
> Once again thanks for your help!
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Dan: "Re: IPFW."
• In reply to: Dan: "Re: IPFW."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages nice firewall script ... # Only valid response to the packets I've sent out are allowed in. ... # the "dynamic" rules table by an allow keep-state statement. ... $fwcmd 00400 check-state ... $fwcmd 00530 deny all from any to any frag in via $oif ... (comp.security.firewalls) RE: IPFW Problem ... $fwcmd add allow ip from any to any established ... $fwcmd add deny all from any to any frag in via $oif ... $fwcmd add allow tcp from any to me 80 setup keep-state ... MYIP:80 in via bge0 ... (freebsd-questions) New to IPFW and would like critique... ... fxp0 is my outside interface ... ${fwcmd} add 101 pass all from any to any via lo0 ... $add 119 deny all from any to 127.0.0.0/8 ... # FTP - Allow incoming data channel for outgoing connections, ... (comp.unix.bsd.freebsd.misc) Re: natd port redirect ... ${fwcmd} add 100 pass all from any to any via lo0 ... $add divert natd all from any to any via ${oif} ... $add divert natd tcp from any to me 23 in via $ ... $add pass tcp from any to any 80 out via $setup keep-state ... (comp.unix.bsd.freebsd.misc) outlook express, ipx and ftp :) ... $fwcmd add deny log ip from $inwr to any in via $oif ... >From deny to allow in order for the internal network to be able to acess ... (FreeBSD-Security)