Re: stateful ipfw
- From: Jason Bourne <j_bourne_treadstone@xxxxxxxxxxx>
- Date: Mon, 26 Jun 2006 05:18:59 -0400
sam wrote:
Hi,
Can anyone please tell me how to define a stateful ipfw rule? I m with
freebsd 5.2 +
I heard that ipfw in older version of freebsd is not stateful. In 5.2+,
do I need to add patches to ipfw source and rebuilt the kernel src with
new patches?
Thanks
Sam
I haven't used ipfw in years, but I found my old ruleset from when I used to
run it on 4.x with a dial up account. Don't know if it's the best ruleset
in the world or even if it applies to >5.x but I used it for quite some
time before moving to IPF/IPNAT and subsequently to PF.
Notice the "check state" command right after the divert rule. Then look for
the "keep state" statements in the rules where it is used. Hope it is
useful and is only meant as an example. YMMV
---- /etc/firewall/fwrules: ------------------------------
# Firewall rules
fwcmd="/sbin/ipfw"
$fwcmd -f flush
$fwcmd add allow all from any to any via lo0
$fwcmd add allow all from any to any via xl0
$fwcmd add deny log all from any to 127.0.0.0/8
# Stop private networks (RFC1918) from entering the outside interface.
$fwcmd add deny log ip from 192.168.0.0/16 to any in via ppp0
$fwcmd add deny log ip from 172.16.0.0/12 to any in via ppp0
$fwcmd add deny log ip from 10.0.0.0/8 to any in via ppp0
$fwcmd add deny log ip from any to 192.168.0.0/16 in via ppp0
$fwcmd add deny log ip from any to 172.16.0.0/12 in via ppp0
$fwcmd add deny log ip from any to 10.0.0.0/8 in via ppp0
# Stop draft-manning-dsua-01.txt nets on the outside interface
$fwcmd add deny all from 0.0.0.0/8 to any in via ppp0
$fwcmd add deny all from 169.254.0.0/16 to any in via ppp0
$fwcmd add deny all from 192.0.2.0/24 to any in via ppp0
$fwcmd add deny all from 224.0.0.0/4 to any in via ppp0
$fwcmd add deny all from 240.0.0.0/4 to any in via ppp0
$fwcmd add deny all from any to 0.0.0.0/8 in via ppp0
$fwcmd add deny all from any to 169.254.0.0/16 in via ppp0
$fwcmd add deny all from any to 192.0.2.0/24 in via ppp0
$fwcmd add deny all from any to 224.0.0.0/4 in via ppp0
$fwcmd add deny all from any to 240.0.0.0/4 in via ppp0
$fwcmd add divert natd all from any to any via ppp0
$fwcmd add check-state
$fwcmd add allow tcp from any to any 80 via ppp0
#port opened for web server - tcp_drop_synfin was removed
$fwcmd add deny log udp from any to me in recv ppp0
$fwcmd add allow udp from any to any via ppp0 keep-state
$fwcmd add allow log icmp from any to any icmptypes 3,4
$fwcmd add deny log tcp from any to any in recv ppp0 setup
$fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state
$fwcmd add allow tcp from any to any via ppp0 established keep-state
$fwcmd add allow log icmp from any to any icmptypes 8 out xmit ppp0
$fwcmd add allow log icmp from any to any icmptypes 0 in recv ppp0
$fwcmd add allow log icmp from any to any icmptypes 11 in recv ppp0
$fwcmd add 65432 deny log tcp from any to any
$fwcmd add 65433 deny log udp from any to any
$fwcmd add 65434 deny log icmp from any to any
$fwcmd add 65435 deny log ip from any to any
-Jason
.
- Follow-Ups:
- Re: stateful ipfw
- From: jpd
- Re: stateful ipfw
- References:
- stateful ipfw
- From: sam
- stateful ipfw
- Prev by Date: Re: A /rc creeping into lpd errors with apsfilter
- Next by Date: Re: kdm fails to start session with mktemp errors
- Previous by thread: stateful ipfw
- Next by thread: Re: stateful ipfw
- Index(es):
Relevant Pages
|
