Re: IPFW acting weird OR invalid ruleset?
From: Remko Lodder (remko_at_elvandar.org)
Date: 06/29/04
- Previous message: Remko Lodder: "Re: Which book should I start?"
- In reply to: whizkid_at_ValueDJ.com: "IPFW acting weird OR invalid ruleset?"
- Next in thread: Steve Bertrand: "Re: IPFW acting weird OR invalid ruleset?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 29 Jun 2004 21:58:45 +0200 To: whizkid@ValueDJ.com
whizkid@ValueDJ.com wrote:
> Hey everyone. Below is my natd.conf file and my rc.firewall.rule file. I
> cannot figure it out, but if one of my machines that is behind my
> Masqurading Firewall tries to d/l a file that is on a FTP site, it fails
> to connect.
Does the ipfw offer logging (i dont know ipfw) perhaps you can see why
it gets blocked there (ehm i presume it gets blocked)
But perhaps a ipfw guru should help ;-)
Cheers
>
> FreeBSD 5.2.1 machine with 2 nics.
>
> xl0 outside Nic
> fxp0 inside Nic
>
> rc.conf:
>
> # enable firewall
> firewall_enable="YES"
> # set path to custom firewall config
> firewall_type="/etc/fw/rc.firewall.rules"
> # be non-verbose? set to YES after testing
> firewall_quiet="NO"
> # enable natd, the NAT daemon
> natd_enable="YES"
> # which is the interface to the internet that we hide behind?
> natd_interface="xl0"
> # flags for natd
> natd_flags="-f /etc/fw/natd.conf"
>
>
> natd.conf:
>
> unregistered_only
> interface xl0
> use_sockets
> dynamic
> # dyamically open fw for ftp, irc
> punch_fw 2000:50
>
>
> rc.firewall.rules:
>
> # be quiet and flush all rules on start
> -q flush
>
> # allow local traffic, deny RFC 1918 addresses on the outside
> add 00100 allow ip from any to any via lo0
> add 00110 deny ip from any to 127.0.0.0/8
> add 00120 deny ip from any to any not verrevpath in
> add 00301 deny ip from 10.0.0.0/8 to any in via xl0
> add 00302 deny ip from 172.16.0.0/12 to any in via xl0
> add 00303 deny ip from 192.168.0.0/16 to any in via xl0
>
> # check if incoming packets belong to a natted session, allow through if yes
> add 01000 divert natd ip from any to me in via xl0
> add 01001 check-state
>
> # allow some traffic from the local net to the router
> #SMTP
> add 02000 allow tcp from any to any 25 setup keep-state
>
> # SSH
> add 04000 allow tcp from any to me dst-port 22 in via fxp0 setup keep-state
> add 04001 allow tcp from any to me dst-port 22 in via xl0 setup keep-state
>
> #IMAP-SSL
> add 04010 allow tcp from any to me dst-port 143 in via fxp0 setup keep-state
> add 04011 allow tcp from any to me dst-port 143 in via xl0 setup keep-state
>
> # NTP
> add 04020 allow tcp from any to me dst-port 123 in via fxp0 setup keep-state
> add 04021 allow udp from any to me dst-port 123 in via fxp0 keep-state
> add 04020 allow tcp from any to me dst-port 123 in via xl0 setup keep-state
> add 04021 allow udp from any to me dst-port 123 in via xl0 keep-state
>
> #webmin
> add 04030 allow tcp from any to me dst-port 10000 in via fxp0 setup
> keep-state
> add 04031 allow tcp from any to me dst-port 10000 in via xl0 setup keep-state
>
> #http
> add 04040 allow tcp from any to me dst-port 80 in via fxp0 setup keep-state
> add 04041 allow tcp from any to me dst-port 80 in via xl0 setup keep-state
>
> # DNS
> add 04050 allow udp from any to me dst-port 53 in via fxp0
> add 04051 allow udp from any to me dst-port 53 in via xl0
> add 04052 allow tcp from any to me dst-port 53 in via fxp0
> add 04053 allow tcp from any to me dst-port 53 in via xl0
>
> #POP
> add 04060 allow tcp from any to me dst-port 110 in via fxp0 setup keep-state
> add 04061 allow tcp from any to me dst-port 110 in via xl0 setup keep-state
>
> #HTTPS
> add 04070 allow tcp from any to me dst-port 443 in via fxp0 setup keep-state
> add 04071 allow tcp from any to me dst-port 443 in via xl0 setup keep-state
>
> #IMAPS
> add 04080 allow tcp from any to me dst-port 993 in via fxp0 setup keep-state
> add 04081 allow tcp from any to me dst-port 993 in via xl0 setup keep-state
>
> # drop everything else
> add 04090 deny ip from any to me
>
> # pass outgoing packets (to be natted) on to a special NAT rule
> add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via fxp0 keep-state
>
> # allow all outgoing traffic from the router
> add 05010 allow ip from me to any out keep-state
>
> # drop everything that has come so far. This means it doesn't belong to an
> # established connection, don't log the most noisy scans.
> add 59998 deny icmp from any to me
> add 59999 deny ip from any to me dst-port 135,137-139,445,4665
> add 60000 deny log tcp from any to any established
> add 60001 deny log ip from any to any
>
> # this is the NAT rule. Only outgoing packets from the local net will come
> here.
> # First, nat them, then pass them on (again, you may choose to be more
> restrictive)
> add 61000 divert natd ip from 192.168.1.0/24 to any out via xl0
> add 61001 allow ip from any to any
-- Kind regards, Remko Lodder |remko@elvandar.org Reporter DSINet |remko@dsinet.org Projectleader Mostly-Harmless |remko@mostly-harmless.nl _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Remko Lodder: "Re: Which book should I start?"
- In reply to: whizkid_at_ValueDJ.com: "IPFW acting weird OR invalid ruleset?"
- Next in thread: Steve Bertrand: "Re: IPFW acting weird OR invalid ruleset?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
