Date: Wed, 5 Jan 2000 15:45:17 -0500 (EST) From: Stan Brown <stanb@netcom.com> To: freebsd-questions@freebsd.org (Free BSD Questions list) Subject: ipfw rules question Message-ID: <200001052045.MAA03409@netcom.com>
next in thread | raw e-mail | index | archive | help
I have a FreeBSD laptop which I dial inot my home network with. The
hoome network uses a real class C network number, which is the alliased
to the IP address of my cablemodem provider my NAT. The ppp interface
to/from the remote laptop is in the 198. network grouping.
Now here is the problem ntp packets (and perhaps others from the laptop
no longer make it out onto the net since I started using ipfw. It
appears to me taht these rules:
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
May be stoping them, however I would have thought that they would have
gotten translated by the divert rule before hiting these rules.
Hny ideas on what I am doing wrong?
Heres my firewall config file:
fwcmd="/sbin/ipfw"
$fwcmd -f flush
# needed for natd
$fwcmd add divert natd all from any to any via ${natd_interface}
# set these to your outside interface network and netmask and ip
oif="ed1"
onet="24.6.61.0"
omask="255.255.255.0"
oip="24.6.61.166"
# set these to your inside interface network and netmask and ip
iif="ed0"
inet="205.159.77.0"
imask="255.255.255.0"
iip="192.159.77.234"
# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny tcp from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny tcp from any to 10.0.0.0:255.0.0.0 via ${oif}
$fwcmd add deny udp from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny udp from any to 10.0.0.0:255.0.0.0 via ${oif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow setup of incoming email
$fwcmd add pass tcp from any to ${oip} 25 setup
# Allow outgoing email
$fwcmd add pass tcp from ${inet}:${imask} to any 25 setup
$fwcmd add pass tcp from any to any 113 setup
# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
$fwcmd add pass tcp from any to ${oip} 80 setup
#allows telnet
# can take this out when I get ssh support on all machines
# I might need to come in from
$fwcmd add pass tcp from any to any 23 in recv ${oif} setup
#allows ssh
$fwcmd add pass tcp from any to any 22 in recv ${oif} setup
#allows ftp
$fwcmd add pass tcp from any to any 20 in recv ${oif} setup
$fwcmd add pass tcp from any to any 21 in recv ${oif} setup
$fwcmd add pass tcp from any 20 to any in recv ${oif} setup
$fwcmd add pass tcp from any 21 to any in recv ${oif} setup
# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
# Allow outbound pings
$fwcmd add pass icmp from any to any in recv ${oif} icmptypes 0
$fwcmd add pass icmp from any to any out xmit ${oif} icmptypes 8
# Allow outbound traceroutes
$fwcmd add pass icmp from any to any in recv ${oif} icmptypes 3
$fwcmd add pass icmp from any to any in recv ${oif} icmptypes 11
# Everything else is denied as default.
--
Stan Brown stanb@netcom.com 404-996-6955
Factory Automation Systems
Atlanta Ga.
--
Look, look, see Windows 95. Buy, lemmings, buy!
Pay no attention to that cliff ahead... Henry Spencer
(c) 1998 Stan Brown. Redistribution via the Microsoft Network is prohibited.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001052045.MAA03409>