From owner-freebsd-questions Fri Jan 31 5:27:41 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 813D937B401 for ; Fri, 31 Jan 2003 05:27:37 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id B802243F75 for ; Fri, 31 Jan 2003 05:27:36 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (a3422d703f8d2ac489d568d01fb99780@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h0VDIGXN009520 for ; Fri, 31 Jan 2003 07:18:16 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h0VDIGCT009519 for freebsd-questions@freebsd.org; Fri, 31 Jan 2003 07:18:16 -0600 (CST) Date: Fri, 31 Jan 2003 07:18:15 -0600 From: Redmond Militante To: freebsd-questions@freebsd.org Subject: please comment on my nat/ipfw rules (resent) Message-ID: <20030131131815.GA9488@darkpossum> Reply-To: Redmond Militante Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Tofu: The other white meat substitute. Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi all =20 i have my test machine set up as a gateway box, with ipfw/natd configured = on it, set up to filter/redirect packets bound for a client on my internal = network. =20 external ip of my internal client is aliased to the outside nic of the gat= eway box =20 =20 gateway machine's kernel has been recompiled with: =20 options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE =20 =20 =20 gateway's /etc/rc.conf looks like=20 =20 defaultrouter=3D"129.x.x.1" hostname=3D"hostname.com" ifconfig_xl0=3D"inet 129.x.x.1 netmask 255.255.255.0" #aliasing internal client's ip to the outside nic of gateway box ifconfig_xl0_alias0=3D"inet 129.x.1.20 netmask 255.0.0.0" #inside nic of gateway box ifconfig_xl1=3D"inet 10.0.0.1 netmask 255.0.0.0" gateway_enable=3D"YES" firewall_enable=3D"YES" #firewall_script=3D"/etc/rc.firewall" firewall_type=3D"/etc/ipfw.rules" natd_enable=3D"YES" #natd interface is outside nic natd_interface=3D"xl0" #natd flags redirect any traffic bound for ip of www3 to internal ip of ww= w3 natd_flags=3D"-redirect_address 10.0.0.2 129.x.x.20" kern_securelevel_enable=3D"NO" ......... =20 =20 =20 internal client's /etc/rc.conf looks like =20 second machine's /etc/rc.conf: =20 defaultrouter=3D"10.0.0.1" ifconfig_xl0=3D"inet 10.0.0.2 netmask 255.0.0.0" ................ =20 =20 looks like this setup is working. the internal client is a basic webserver= /ftp server. i am able to ftp to it, ssh to it, view webpages that it serve= s up, etc. with it hooked up to the internal nic of the gateway box. =20 i am now trying to come up with a good set of firewall rules on the gatewa= y box to filter out all unnecessary traffic to my internal network. the fol= lowing is my /etc/ipfw.rules on the gateway box. =20 -----------------------------snip------------------------------ =20 # firewall_type=3D"/etc/ipfw.rules" # enquirer ipfw.rules =20 # NAT add 00100 divert 8668 ip from any to any via xl0 =20 # loopback add 00210 allow ip from any to any via lo0 add 00220 deny ip from any to 127.0.0.0/8 add 00230 deny ip from 127.0.0.0/8 to any =20 #allow tcp in for nfs shares #add 00301 allow tcp from 129.x.x.x to any in via xl0 #add 00302 allow tcp from 129.x.x.x to any in via xl0 =20 #allow tcp in for ftp,ssh, smtp, httpd add 00303 allow tcp from any to any in 21,22,25,80,10000 via xl0 =20 #deny rest of incoming tcp add 00309 deny log tcp from any to any in established =20 #from man 8 ipfw: allow only outbound tcp connections i've created add 00310 allow tcp from any to any out via xl0 =20 =20 #allow udp in for gateway for DNS add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0 =20 #allow udp in for nfs shares #add 00401 allow udp from 129.x.x.x to any in recv xl0 #add 00402 allow udp from 129.x.x.x to any in recv xl0 =20 #allow all udp out from machine add 00404 allow udp from any to any out via xl0 =20 #allow some icmp types (codes not supported) ##########allow path-mtu in both directions add 00500 allow icmp from any to any icmptypes 3 ##########allow source quench in and out add 00501 allow icmp from any to any icmptypes 4 ##########allow me to ping out and receive response back add 00502 allow icmp from any to any icmptypes 8 out add 00503 allow icmp from any to any icmptypes 0 in ##########allow me to run traceroute add 00504 allow icmp from any to any icmptypes 11 in add 00600 deny log ip from any to any =20 #--- end ipfw.rules ---# =20 -----------------------------snip------------------------------ =20 =20 any comments on how i could improve this set of ipfw rules to better secur= e my internal client would be appreciated. thanks again redmond --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+OneXFNjun16SvHYRAgKjAJsEWSthnW4H8JlqcBBMC1ZFm7I7UQCfYlvS vySx9JZ3YxhzOHdk9LpPkdY= =ZVfn -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message