Date: Thu, 14 Feb 2002 22:43:30 +0100 From: "Rogier R. Mulhuijzen" <drwilco@drwilco.net> To: Michael Sierchio <kudzu@tenebras.com>, Luigi Rizzo <rizzo@icir.org> Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? Message-ID: <5.1.0.14.0.20020214224151.01c350c0@mail.drwilco.net> In-Reply-To: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net> References: <3C6C2180.3020704@tenebras.com> <3C6BE90D.3020108@tenebras.com> <20020214093647.A57238@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 22:25 14-2-2002 +0100, Rogier R. Mulhuijzen wrote:
----SNIP----
Oops, forgot a few rules at the end (bad copy/paste)
So here it is again.
tl0 is the interface on internal LAN
lnc0 is the interface on external LAN
--------------------
#divert all http requests from internal network to quid cache
add 00510 fwd 172.30.0.1 tcp from 172.30.0.0/16 to any 80 in via tl0
add 00520 fwd 172.30.0.1 tcp from 172.20.0.0/16 to any 80 in via tl0
add 00530 fwd 172.30.0.1 tcp from 192.168.0.0/24 to any 80 in via tl0
#allow all traffic to/from internal network
add 01000 allow all from any to any via tl0
#translate incoming packets (NAT)
add 30000 divert natd all from any to <internet IP of machine> in via lnc0
#allow incoming packets for hosts on internal network
#(Since we translated them, we're sure they belong to existing
#connection)
add 30110 allow all from any to 172.20.0.0/16 in via lnc0
add 30111 allow all from any to 172.30.0.0/16 in via lnc0
add 30112 allow all from any to 192.168.0.0/24 in via lnc0
#allow SSH from XXXXXXXX
add 30200 allow tcp from <some internet IP> to <internet IP of machine> 22
in via lnc0
add 30210 allow tcp from <internet IP of machine> 22 to <some internet IP>
out via lnc0
#allow DNS queries to UUnet DNS servers
add 30300 allow udp from <DNS1 IP> 53 to <internet IP of machine> in via lnc0
add 30310 allow udp from <internet IP of machine> to <DNS1 IP> 53 out via lnc0
add 30320 allow udp from <DNS2 IP> 53 to <internet IP of machine> in via lnc0
add 30330 allow udp from <internet IP of machine> to <DNS2 IP> 53 out via lnc0
#allow outgoing traffic from internal hosts
#(use skipto 34000 instead of allow because they still need translation)
add 31010 skipto 34000 all from 172.20.0.0/16 to any out via lnc0
add 31020 skipto 34000 all from 172.30.0.0/16 to any out via lnc0
add 31030 skipto 34000 all from 192.168.0.0/24 to any out via lnc0
#allow outgoing connections from local machine (using dynamic rules)
add 32000 allow all from <internet IP of machine> to any out via lnc0
keep-state
#block and log everything that hasn't been allowed so far
add 33000 deny log all from any to any
#translate outgoing packets (NAT)
add 34000 divert natd all from any to any out via lnc0
#allow translated packets to go out
add 34010 allow all from 195.109.218.253 to any out via lnc0
#block and log whatever remains (shouldn't be anything)
add 65000 deny log all from any to any
--------------------
Greets,
Doc
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020214224151.01c350c0>