From owner-freebsd-questions@FreeBSD.ORG Mon May 21 16:36:22 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 492BD1065675 for ; Mon, 21 May 2012 16:36:22 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 00A408FC0A for ; Mon, 21 May 2012 16:36:21 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1SWVae-0007os-Jv for freebsd-questions@freebsd.org; Mon, 21 May 2012 18:36:12 +0200 Received: from pool-173-79-82-23.washdc.fios.verizon.net ([173.79.82.23]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 21 May 2012 18:36:12 +0200 Received: from nightrecon by pool-173-79-82-23.washdc.fios.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 21 May 2012 18:36:12 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Michael Powell Date: Mon, 21 May 2012 12:36:10 -0400 Lines: 79 Message-ID: References: <20120521120027.716761065686@hub.freebsd.org> <20120521232412.B98171@sola.nimnet.asn.au> <4FBA5FB3.5010900@ifdnrg.com> <4FBA66DA.7040902@ifdnrg.com> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: pool-173-79-82-23.washdc.fios.verizon.net Subject: Re: ipfw subnetting X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nightrecon@hotmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 16:36:22 -0000 Paul Macdonald wrote: [snip] It has been many years since I used IPFW as I moved on to IPFILTER, and then on to PF which is what I use now. I don't even recall exactly why I chose to utilize both setting directionality of flow per specific interface. I suspect that somehow there is some rule occurring prior to your block rule that is somehow allowing the traffic to pass. Bear in mind the following ruleset (specified in /etc/rc.conf via firewall_script="/etc/firewall/fwrules" is for a tributary end-point using a ppp dialup modem connection. It may not be suitable for a proper network to network firewall. I used it for years, and as far as I know it worked well (I am not an expert). It is also doing NAT which you may not be doing (that would just be one line difference in any case the "DIVERT" line). # Firewall rules fwcmd="/sbin/ipfw" $fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add allow all from any to any via xl0 $fwcmd add deny log all from any to 127.0.0.0/8 # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via ppp0 $fwcmd add deny log ip from 172.16.0.0/12 to any in via ppp0 $fwcmd add deny log ip from 10.0.0.0/8 to any in via ppp0 $fwcmd add deny log ip from any to 192.168.0.0/16 in via ppp0 $fwcmd add deny log ip from any to 172.16.0.0/12 in via ppp0 $fwcmd add deny log ip from any to 10.0.0.0/8 in via ppp0 # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via ppp0 $fwcmd add deny all from 169.254.0.0/16 to any in via ppp0 $fwcmd add deny all from 192.0.2.0/24 to any in via ppp0 $fwcmd add deny all from 224.0.0.0/4 to any in via ppp0 $fwcmd add deny all from 240.0.0.0/4 to any in via ppp0 $fwcmd add deny all from any to 0.0.0.0/8 in via ppp0 $fwcmd add deny all from any to 169.254.0.0/16 in via ppp0 $fwcmd add deny all from any to 192.0.2.0/24 in via ppp0 $fwcmd add deny all from any to 224.0.0.0/4 in via ppp0 $fwcmd add deny all from any to 240.0.0.0/4 in via ppp0 $fwcmd add divert natd all from any to any via ppp0 $fwcmd add check-state $fwcmd add allow tcp from any to any 80 via ppp0 #port opened for web server - tcp_drop_synfin was removed $fwcmd add deny log udp from any to me in recv ppp0 $fwcmd add allow udp from any to any via ppp0 keep-state $fwcmd add allow log icmp from any to any icmptypes 3,4 $fwcmd add deny log tcp from any to any in recv ppp0 setup $fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state $fwcmd add allow tcp from any to any via ppp0 established keep-state $fwcmd add allow log icmp from any to any icmptypes 8 out xmit ppp0 $fwcmd add allow log icmp from any to any icmptypes 0 in recv ppp0 $fwcmd add allow log icmp from any to any icmptypes 11 in recv ppp0 $fwcmd add 65432 deny log tcp from any to any $fwcmd add 65433 deny log udp from any to any $fwcmd add 65434 deny log icmp from any to any $fwcmd add 65435 deny log ip from any to any The main thing that would change for you immediately would be to alter the interface of ppp0 to the exterior interface on your box that is facing the outside Internet. And '$fwcmd add allow all from any to any via xl0' <- here xl0 would be whichever is your interior LAN facing interface. Perhaps this example may be useful to you. If you can get something that works and others can find flaws in my approach it can be improved further. -Mike