IPFW rules being weird?
From: Dan (dan_at_ntlbusiness.com)
Date: 10/24/03
- Previous message: Ian Dowse: "Re: anyone believe this KASSERT?"
- Next in thread: Crist J. Clark: "Re: IPFW rules being weird?"
- Reply: Crist J. Clark: "Re: IPFW rules being weird?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: freebsd-net@freebsd.org Date: Fri, 24 Oct 2003 02:10:14 +0100
Hello there.
Odd query for you.
My setup is that sis0 is the ethernet which has the business cable modem
attached to it - which serves as a gateway. sis1 is the Ethernet which my
laptop connects to (wirelessly through a HE501 wireless pc card, and HE102
access point (both by Netgear)).
The problem that is occuring, is that if I have the IPFW rules below,
everything works GREAT!
fwcmd="/sbin/ipfw"
$fwcmd -f flush
$fwcmd add divert natd all from any to any via sis0
$fwcmd add allow all from any to any
$fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
However, the above is not "secure" as you might say.
The script below stops the laptop from being able to access th enet and i have
NO idea why!
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
# Divert all packets through the tunnel interface.
$fwcmd add 50 divert natd all from any to any via sis0
# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add pass tcp from any to any established
# Allow all localhost connections
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny tcp from me to any
$fwcmd add allow ip from me to any out xmit any keep-state
$fwcmd add allow all from 192.168.0.0/24 to any
# Everyone on the Internet is allowed to connect to the following
# services on the machine. This example specifically allows connections
# to sshd and a webserver.
$fwcmd add allow tcp from any to any established
$fwcmd add allow tcp from any to me 80 setup
$fwcmd add allow tcp from any to me 21 setup
$fwcmd add allow tcp from any to me 22 setup
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any
# Enable ICMP: remove type 8 if you don't want your host to be pingable
$fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
# Deny all the rest.
$fwcmd add deny log ip from any to any
If you can help with this it'd be much appreciated.
Thanks!!!
Running FreeBSD 4.8-RELEASE.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Ian Dowse: "Re: anyone believe this KASSERT?"
- Next in thread: Crist J. Clark: "Re: IPFW rules being weird?"
- Reply: Crist J. Clark: "Re: IPFW rules being weird?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
