From owner-freebsd-security Mon Oct 1 16:59:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from alchemistry.net (alchemistry.net [66.114.66.158]) by hub.freebsd.org (Postfix) with ESMTP id D16F637B40B for ; Mon, 1 Oct 2001 16:59:42 -0700 (PDT) Received: from amavis by alchemistry.net with scanned-ok (Exim 3.33 #1) id 15oCyH-0003K0-00 for security@FreeBSD.ORG; Mon, 01 Oct 2001 19:59:37 -0400 Received: from [192.168.0.1] (helo=ilya) by alchemistry.net with smtp (TLSv1:RC4-MD5:128) (Exim 3.33 #1) id 15oCyG-0003Jq-00 for security@FreeBSD.ORG; Mon, 01 Oct 2001 19:59:36 -0400 Message-ID: <006001c14ad5$5e5283c0$0100a8c0@ilya> From: "Ilya" To: References: <20010929223004.M70637@mh57.net> <20011001133249.D304@blossom.cjclark.org> Subject: 2 questions about ipfw Date: Mon, 1 Oct 2001 20:01:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-Virus-Scanned: by AMaViS snapshot-20010714 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a freebsd natd box with two interfaces (external ed0 and internal fxp0). I found a dynamic ipfw example by Peter Brezny, and it seems to work pretty good, except that nothing gets to rule number 2700. But if i move that rule before divert the whole lan looses connection to internet. And any place after that gets 0 hits. Any suggestions on how to make this ruleset more efficient/secure? thank you PS thank you Peter for providing your ruleset to public ipfw show|more 00100 7466 518126 allow ip from any to any via lo0 00200 0 0 deny log logamount 200 ip from any to 127.0.0.0/8 00300 0 0 deny log logamount 200 ip from 192.168.0.0/24 to any in recv ed0 00400 0 0 deny log logamount 200 ip from not 192.168.0.0/24 to any in recv fxp0 00500 0 0 deny log logamount 200 ip from 192.168.0.0/16 to any in recv ed0 00600 0 0 deny log logamount 200 ip from 172.16.0.0/12 to any in recv ed0 00700 0 0 deny log logamount 200 ip from 10.0.0.0/8 to any in recv ed0 00800 0 0 deny log logamount 200 ip from any to 192.168.0.0/16 in recv ed0 00900 0 0 deny log logamount 200 ip from any to 172.16.0.0/12 in recv ed0 01000 0 0 deny log logamount 200 ip from any to 10.0.0.0/8 in recv ed0 01100 0 0 deny log logamount 200 ip from 0.0.0.0/8 to any in recv ed0 01200 0 0 deny log logamount 200 ip from 169.254.0.0/16 to any in recv ed0 01300 0 0 deny log logamount 200 ip from 192.0.2.0/24 to any in recv ed0 01400 0 0 deny log logamount 200 ip from 224.0.0.0/4 to any in recv ed0 01500 0 0 deny log logamount 200 ip from 240.0.0.0/4 to any in recv ed0 01600 0 0 deny log logamount 200 ip from any to 0.0.0.0/8 in recv ed0 01700 0 0 deny log logamount 200 ip from any to 169.254.0.0/16 in recv ed0 01800 0 0 deny log logamount 200 ip from any to 192.0.2.0/24 in recv ed0 01900 0 0 deny log logamount 200 ip from any to 224.0.0.0/4 in recv ed0 02000 0 0 deny log logamount 200 ip from any to 240.0.0.0/4 in recv ed0 02100 427386 189325029 divert 8668 ip from any to any via ed0 02200 390818 343974531 allow tcp from any to any established 02300 34 1808 allow tcp from any to $myexternalip 22,80,443,25 setup 02400 3438 192784 allow log logamount 200 icmp from any to any icmptype 3,4,11,12 02500 1 58 allow udp from any 53 to $myexternalip 53 02600 55 3365 allow udp from any 1024-65535 to $myexternalip 02700 0 0 check-state 02800 177231 9731222 allow ip from $myexternalip to any keep-state out xmit ed0 02900 290474 27027605 allow ip from 192.168.0.0/24 to any keep-state via fxp0 65534 56 3788 deny log logamount 200 ip from any to any in recv ed0 65535 56 18207 allow ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message