Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 21 May 2012 12:36:10 -0400
From:      Michael Powell <nightrecon@hotmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: ipfw subnetting
Message-ID:  <jpdqte$7kq$1@dough.gmane.org>
References:  <20120521120027.716761065686@hub.freebsd.org> <20120521232412.B98171@sola.nimnet.asn.au> <4FBA5FB3.5010900@ifdnrg.com> <CAHu1Y719HRS2-tNKTZa5qaeyG78F6KXKrTEkphF9PYSGfPBGNw@mail.gmail.com> <4FBA66DA.7040902@ifdnrg.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Paul Macdonald wrote:

[snip]

It has been many years since I used IPFW as I moved on to IPFILTER, and then 
on to PF which is what I use now. I don't even recall exactly why I chose to 
utilize both setting directionality of flow per specific interface. I suspect 
that somehow there is some rule occurring prior to your block rule that is 
somehow allowing the traffic to pass.

Bear in mind the following ruleset (specified in /etc/rc.conf via 
firewall_script="/etc/firewall/fwrules" is for a tributary end-point using a 
ppp dialup modem connection. It may not be suitable for a proper network to 
network firewall. I used it for years, and as far as I know it worked well (I 
am not an expert). It is also doing NAT which you may not be doing (that 
would just be one line difference in any case the "DIVERT" line).


# Firewall rules

fwcmd="/sbin/ipfw"
$fwcmd -f flush
$fwcmd add allow all from any to any via lo0
$fwcmd add allow all from any to any via xl0
$fwcmd add deny log all from any to 127.0.0.0/8

# Stop private networks (RFC1918) from entering the outside interface.
$fwcmd add deny log ip from 192.168.0.0/16 to any in via ppp0
$fwcmd add deny log ip from 172.16.0.0/12 to any in via ppp0
$fwcmd add deny log ip from 10.0.0.0/8 to any in via ppp0
$fwcmd add deny log ip from any to 192.168.0.0/16 in via ppp0
$fwcmd add deny log ip from any to 172.16.0.0/12 in via ppp0
$fwcmd add deny log ip from any to 10.0.0.0/8 in via ppp0

# Stop draft-manning-dsua-01.txt nets on the outside interface
$fwcmd add deny all from 0.0.0.0/8 to any in via ppp0
$fwcmd add deny all from 169.254.0.0/16 to any in via ppp0
$fwcmd add deny all from 192.0.2.0/24 to any in via ppp0
$fwcmd add deny all from 224.0.0.0/4 to any in via ppp0
$fwcmd add deny all from 240.0.0.0/4 to any in via ppp0
$fwcmd add deny all from any to 0.0.0.0/8 in via ppp0
$fwcmd add deny all from any to 169.254.0.0/16 in via ppp0
$fwcmd add deny all from any to 192.0.2.0/24 in via ppp0
$fwcmd add deny all from any to 224.0.0.0/4 in via ppp0
$fwcmd add deny all from any to 240.0.0.0/4 in via ppp0

$fwcmd add divert natd all from any to any via ppp0
$fwcmd add check-state

$fwcmd add allow tcp from any to any 80 via ppp0
#port opened for web server - tcp_drop_synfin was removed

$fwcmd add deny log udp from any to me in recv ppp0
$fwcmd add allow udp from any to any via ppp0 keep-state
$fwcmd add allow log icmp from any to any icmptypes 3,4

$fwcmd add deny log tcp from any to any in recv ppp0 setup
$fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state
$fwcmd add allow tcp from any to any via ppp0 established keep-state

$fwcmd add allow log icmp from any to any icmptypes 8 out xmit ppp0
$fwcmd add allow log icmp from any to any icmptypes 0 in recv ppp0
$fwcmd add allow log icmp from any to any icmptypes 11 in recv ppp0

$fwcmd add 65432 deny log tcp from any to any
$fwcmd add 65433 deny log udp from any to any
$fwcmd add 65434 deny log icmp from any to any
$fwcmd add 65435 deny log ip from any to any

The main thing that would change for you immediately would be to alter the 
interface of ppp0 to the exterior interface on your box that is facing the 
outside Internet. And '$fwcmd add allow all from any to any via xl0' <- here 
xl0 would be whichever is your interior LAN facing interface.

Perhaps this example may be useful to you. If you can get something that 
works and others can find flaws in my approach it can be improved further. 

-Mike





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?jpdqte$7kq$1>