Date: Wed, 08 Mar 2006 14:12:25 -0000 From: Martin Tournoy <carpetsmoker@gmail.com> To: freebsd-questions@freebsd.org Subject: Network bridge with IPFW, can't get it working Message-ID: <op.s53lqzxsipwu61@anyhost.anywhere>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Here's the situation: I work at a computer repair shop, as we all know viruses, ad-ware and other mal-ware is a huge problem in the windows world, and a lot of people come to us to have their pc's cleaned up. Some of those programs spread themselves actively, or are used as "zombie computers", which is somewhat of a problem for us because it can infect other PCs on the net, also our ISP (temporarily) shut us down some time ago for security reasons. We have a firewall on our router, but it only blocks incoming traffic from the net, which makes life a bit easyer because we don't have to open up ports for all kind of programs all the time. Since we more or less need internet on infected PC's (to download virus-scanners, updates, etc.), I'm trying to setup a bridge with a firewall (IPFW), which should separate filter any bad traffic before it goes to the internet. Problem is, it doesn't work(which is secure, but not quite what I intended). The bridge works fine, if I shut down IPFW (or tell IPFW to allow everything) I have network access, so no problems there... If I scan for DHCP servers, It finds the server and DNS, but doesn't get an IP-adress (?!) for some reason, no matter what I do... My rc.firewall is attached, I made it as simple as possible, complexity and spiffy features can always be added later, let's get the thing working first... I would really appreciate it if someone looked over it, there are probably errors in there. What the REAL problem is, is that I'm a real novice at firewalls, and some things really confuse me, more specifically: - The 'bridged' keyword, does it HAVE to be added to every rule? or is it just recommended? or just specific rules? - Which ports do I need to open? I think I have all I need now (DHCP, DNS, http, https, ping), maybe there's some hidden port I forgot? - Should I use PF? (Is it easyer for a novice?) - Should I just setup a separate LAN? Bridging seems simpler, but doesn't seem to be very common/well documented... I don't think it matters, but just in case: I'm using two 3Com 3C905B-TX NIC's (xl) My uname -a is: FreeBSD filtershit.ictwerkplaats.org 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0: Wed Feb 22 12:47:58 UTC 2006 carpetsmoker@.ictwerkplaats.org:/usr/obj/usr/src/sys/FILTERSHIT i387 [-- Attachment #2 --] #!/bin/sh # Bridge, protect one side (xl0) from the other (xl1), prevent all trafic going from xl1 to xl0. # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" pif="xl0" # No restrictions on Inside LAN Interface for private network $cmd 005 allow all from any to any via xl1 bridged # No restrictions on Loopback Interface $cmd 010 allow all from any to any via lo0 # Allow out access to my ISP's Domain name server. $cmd 020 allow tcp from any to 194.109.6.66 53 via $pif bridged $cmd 021 allow udp from any to 194.109.6.66 53 via $pif bridged # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 allow udp from any to 192.168.100.1 67 via $pif bridged $cmd 031 allow udp from any to 192.168.100.1 68 via $pif bridged # Allow out non-secure standard www function $cmd 040 allow tcp from any to any 80 via $pif bridged # Allow out secure www function https over TLS SSL $cmd 050 allow tcp from any to any 443 via $pif bridged # Allow ping $cmd 080 allow icmp from any to any via $pif bridged # Deny any late arriving packets $cmd 330 deny all from any to any frag in via $pif # Allow traffic from my DHCP server. $cmd 360 allow tcp from 192.168.100.1 to any 68 via $pif bridged $cmd 361 allow udp from 192.168.100.1 to any 68 via $pif bridged # Reject & Log all unauthorized incoming connections from the public Internet $cmd 400 deny log all from any to any via $pif bridged # Everything else is denied by default $cmd 999 deny log all from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.s53lqzxsipwu61>