From owner-freebsd-net@FreeBSD.ORG Sun Feb 5 15:14:35 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FB78106566B for ; Sun, 5 Feb 2012 15:14:35 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from forward4.mail.yandex.net (forward4.mail.yandex.net [IPv6:2a02:6b8:0:602::4]) by mx1.freebsd.org (Postfix) with ESMTP id E7B288FC14 for ; Sun, 5 Feb 2012 15:14:23 +0000 (UTC) Received: from smtp1.mail.yandex.net (smtp1.mail.yandex.net [77.88.46.101]) by forward4.mail.yandex.net (Yandex) with ESMTP id EF3C4501A35; Sun, 5 Feb 2012 19:14:21 +0400 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1328454862; bh=gFEiFmqDjktwx7xVte+4y+FPPE2092+m/5WdovZS6CY=; h=Date:From:Reply-To:Message-ID:To:CC:Subject:In-Reply-To: References:MIME-Version:Content-Type; b=SweMmM5vZ3LugYQxTcreu4igi2/b35LfF5Jc+cS08he+HvCVPsomx6m+5yM4ahysh FaAZJKyoYVy2IbMXdFRwgOP/tVaZ6huKT+vh2QbLwMVuWVegf4up0tm/HcZG4iGtTZ jCXVb4+AP3OS9zAMBRtmUsgfAWu3kpOF+cdxG/Mw= Received: from smtp1.mail.yandex.net (localhost [127.0.0.1]) by smtp1.mail.yandex.net (Yandex) with ESMTP id BB97EAA0400; Sun, 5 Feb 2012 19:14:21 +0400 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1328454861; bh=gFEiFmqDjktwx7xVte+4y+FPPE2092+m/5WdovZS6CY=; h=Date:From:Reply-To:Message-ID:To:CC:Subject:In-Reply-To: References:MIME-Version:Content-Type; b=qS1zB+FhvYOcBq3fhBtIMMHeUeMYh9YXHIT+XkeVYG4JfmsRGBdzrmGKOsl5TorfH 2w5YxBJpU+DVyCznN9cHz2alpBkGlInAxVjByyGDLGVPnrpyfna0Qwa4TTvIaUf7TU cG5/5DTF6AufsEFqRbjemWQdq34muW60Vh2LYJ48= Received: from unknown (unknown [77.93.52.19]) by smtp1.mail.yandex.net (nwsmtp/Yandex) with ESMTP id EFUaRkLj-EFU4cu8i; Sun, 5 Feb 2012 19:14:15 +0400 X-Yandex-Spam: 1 Date: Sun, 5 Feb 2012 17:14:13 +0200 From: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= X-Mailer: The Bat! (v4.0.24) Professional Organization: =?utf-8?B?0KfQnyDQmtC+0L3RjNC60L7QsiwgRnJlZUxpbmU=?= X-Priority: 3 (Normal) Message-ID: <675283668.20120205171413@yandex.ru> To: Bill Tillman In-Reply-To: <1328443513.34131.YahooMailNeo@web36505.mail.mud.yahoo.com> References: <67410574.20120202113314@yandex.ru> <4F2E274F.6000601@freebsd.org> <4F2E2C97.7000400@freebsd.org> <1328443513.34131.YahooMailNeo@web36505.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------DC1E214C1A41B231" X-Mailman-Approved-At: Sun, 05 Feb 2012 17:20:29 +0000 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-net@freebsd.org" Subject: Re: HowTo easy use IPFW X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Feb 2012 15:14:35 -0000 ------------DC1E214C1A41B231 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Здравствуйте, Bill. Вы писали 5 февраля 2012 г., 14:05:13: BT> From: Julian Elischer BT> To: Коньков Евгений BT> Cc: freebsd-net@freebsd.org; freebsd-questions@freebsd.org BT> Sent: Sunday, February 5, 2012 2:15 AM BT> Subject: Re: HowTo easy use IPFW BT> On 2/4/12 10:53 PM, Julian Elischer wrote: >> On 2/2/12 1:33 AM, Коньков Евгений wrote: >>> this is the mine script which helps me keep my firewall very clean and safe. >>> >>> It is easy to understand even if you have a thousands ruBTWles, I think >>> >>> please comment. >>> >>> PS. If anybody may, please put into ports tree. thank you. >> >> it would probably be get more response if it was in a file format we had heard of.. like tar.. >> >> is a ".rar" file? BT> BTW the "stuffit" expander on a Mac seems to be able to handle it.. BT> I can see that this would allow you to manage very complex rule BT> sets while keeping errors under control. BT> I find the syntax hard to follow however BT> I guess that comes from it being a relatively simple perl script doing the work. BT> it would be nice to get rid of the line numbers entirely in the specifications BT> and allow the program to completely specify them using symbolic definitions instead. >> >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> BT> _______________________________________________ BT> freebsd-questions@freebsd.org mailing list BT> http://lists.freebsd.org/mailman/listinfo/freebsd-questions BT> To unsubscribe, send any mail to BT> "freebsd-questions-unsubscribe@freebsd.org" BT> *.rar files have been aroung a long time. They are created by a BT> program call Winrar. I never understood the need for this because BT> every since M$ started including support for zip files built right BT> into Windows Explorer there's no need for additional compression BT> utility. There are some studies which show Winrar is a little more BT> efficient with it's compression but with today's 2 TB hard drive BT> prices, disk space is not such a premium anymore. FreeBSD actually BT> has a port for it /"usr/ports/archivers/rar". I have found that BT> this program is mostly used by hackers on the bittorent sites who BT> steal and distribute copyrighted software and transmit trojans and BT> viruses so it's been my habbit to avoid rar files. If someone I BT> trust sends it I will open it but I don't plan on opening up this BT> guy's ipfw rule set for that very reason. The other reason is that BT> any rule set with 1,000 lines in it has got to be over kill. The BT> simplest advice I could offer here is this: BT> The only truly safe firewall ruleset consists of one rule and that is: BT> deny all from any to any BT> If you must have Internet access, and we all do then the next simplest rule set would be: BT> Build your kernel to have IPFW deny all traffic by default BT> Allow only the ports you deem necessary for your needs BT> Deny all other traffic BT> After you've examined your log files for a few weeks, turn off BT> logging because it's usually just a bunch or crap from IP BT> addresses in China, Amsterdam, or maybe an odd one here and there BT> coming from another source, trying to hack into your computer. I BT> have found over many years that it doesn't pay anything to know BT> about all the attempted attacks. It only pays to stop them cold BT> and the above simple rule set will do just that. yes, and I suggest same thing: first deny all and then allow only that packets you want to pass. so I have next default rules: 65500 deny log ip from any to any 65535 deny ip from any to any but for the router which has many interfaces and which has flat firewall rules it is hard to keep it clean. Mine script allow to separate rules for each interface to its own file Simple example: allow any trafic through vlan153 cat f_vlan153 ################# GOSUB 099 SPLIT ################# #IN TRAFIC (100-499) 490 allow in recv $iface ################# #out TRAFIC (500-899) 890 allow out xmit $iface ################# # >=900 rules are reserved for other stuff will be expanded as: 00999 skipto 8000 ip from any to any via vlan153 08099 skipto 8100 ip from any to any in recv vlan153 08099 skipto 8500 ip from any to any out xmit vlan153 08099 deny log ip from any to any via vlan153 08099 skipto 65000 ip from any to any 08490 allow ip from any to any in recv vlan153 08499 deny log ip from any to any via vlan153 08499 skipto 65000 ip from any to any 08890 allow ip from any to any out xmit vlan153 08899 deny log ip from any to any via vlan153 08899 skipto 65000 ip from any to any and more complex: nat packets that are going through vlan407, queue incoming trafic so each host in lan will be shaped to 2Mbit/s for example. allow some subnet and host from lan to access internet: 10.12.50.0/24 and 10.11.43.58 I.N.E.T - your external IP like '155.7.43.16' cat f_pipes c pipe 52 config bw 2097152bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1 c queue 52 config pipe 12 queue 50 mask dst-ip 0xffffffff gred 0.002/10/30/0.1 cat f_vlan407 NAT ip I.N.E.T unreg_only reset ################# GOSUB 099 SPLIT ################# #IN TRAFIC (100-499) 256 NAT all from any to I.N.E.T in recv $iface 275 queue 52 all from any to any in recv $iface 490 allow in recv $iface ################# #out TRAFIC (500-899) 757 NAT 101 all from 10.12.50.0/24 to any out xmit $iface 758 NAT 101 all from 10.11.8.12 to any out xmit $iface 890 allow out xmit $iface ################# # >=900 rules are reserved for other stuff will be expanded as: 00999 skipto 23000 ip from any to any via vlan407 23099 skipto 23100 ip from any to any in recv vlan407 23099 skipto 23500 ip from any to any out xmit vlan407 23099 deny log ip from any to any via vlan407 23099 skipto 65000 ip from any to any 23256 nat 101 ip from any to I.N.E.T in recv vlan407 23275 queue 52 ip from any to any in recv vlan407 23490 allow ip from any to any in recv vlan407 23499 deny log ip from any to any via vlan407 23499 skipto 65000 ip from any to any 23757 nat 101 ip from 10.12.50.0/24 to any out xmit vlan407 23758 nat 101 ip from 10.11.8.12 to any out xmit vlan407 23890 allow ip from any to any out xmit vlan407 23899 deny log ip from any to any via vlan407 23899 skipto 65000 ip from any to any # ipfw nat show config ipfw nat 101 config ip I.N.E.T unreg_only reset -- С уважением, Коньков mailto:kes-kes@yandex.ru ------------DC1E214C1A41B231--