Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Feb 2005 09:33:48 -0300
From:      "Adolfo B. Ferreira" <bitchat@hotpop.com>
To:        freebsd-questions@freebsd.org
Subject:   Firewall
Message-ID:  <1109507628.927.4.camel@notebook>

next in thread | raw e-mail | index | archive | help

Hi,

I set up a firewall in my freebsd box using ipfw.conf and its working
fine.
I'm running on my firewall ( i know its not recommended ) smtp server
and all my services is working fine but smtp is not receiving incomming
connections from outside(internet).
I would like to show my ipfw rules and get some answer why its not
working.
Thanks Guys, here is my firewall:

# QoS: LAN 
pipe 10 config mask src-ip 0xfffffff0 bw 40Kbit/s # LAN Upload 
pipe 20 config mask dst-ip 0xfffffff0 bw 20Kbit/s # Lan Download

# QoS: SERVICES
pipe 30 config bw 120Kbit/s queue 6Kbytes # FTP
pipe 40 config mask bw 75Kbit/s # SMTP
pipe 50 config mask bw 70Kbit/s # DNS TCP
pipe 60 config mask bw 300Kbit/s queue 20Kbytes # WEB / SSL
pipe 70 config mask bw 75Kbit/s # POP3

# DEVICE: lo0
add 100 allow all from any to any via lo0
add 101 allow tcp from any to 127.0.0.1 110
add 102 deny ip from any to 127.0.0.0/8

# LAN: NAT
add 200 divert natd ip from any to any in via rl0

# LAN: IN
add 300 allow tcp from 10.1.1.0/28 to 10.1.1.1 22,139,445 in via vr0
add 400 allow udp from 10.1.1.0/28 to 10.1.1.1 137,138 in via vr0

# CHECK STATE
add 500 check-state

# DNS: SYNC
add 600 allow ip from any to any 53 via rl0 
add 601 allow ip from any 53 to any via rl0 

# DHCP: CLIENT
add 700 allow udp from any to 10.12.0.1 67 out via rl0

# LAN: ROOT
add 800 allow tcp from me to any out via rl0 setup keep-state uid root

# LAN: OUT
add 900 skipto 2000 tcp from any to any 80      out via rl0 setup
keep-state 
add 901 skipto 2000 tcp from any to any 443     out via rl0 setup
keep-state
add 902 skipto 2000 tcp from any to any 25      out via rl0 setup
keep-state
add 903 skipto 2000 tcp from any to any 110     out via rl0 setup
keep-state
add 905 skipto 2000 icmp from any to any        out via rl0 icmptypes 8
add 906 skipto 2000 tcp from any to any 20,21   out via rl0 setup
keep-state
add 907 skipto 2000 tcp from any to any 43      out via rl0 setup
keep-state
add 909 skipto 2000 tcp from any to any 1755    out via rl0 setup
keep-state
add 910 skipto 2000 tcp from any to any 1863    out via rl0 setup
keep-state
add 911 skipto 2000 tcp from any to any 2222    out via rl0 setup
keep-state
add 912 skipto 2000 tcp from any to any 6667    out via rl0 setup
keep-state

#add 913 skipto 2000 tcp from any to any 1-4000 out via rl0 setup
keep-state

# NETCRAFT
add 1000 deny all from 195.92.95.0/32 to any in via rl0
add 1100 allow icmp from any to any in via rl0 icmptypes 0

# ICMP: BLOCK PING
add 1101 prob 0.2 allow icmp from any to 201.6.24.17 in via rl0
icmptypes 8
add 1102 prob 0.2 allow icmp from 201.6.24.17 to any out via rl0
icmptypes 0

# LAN: RFC
add 1200 deny all from 192.168.0.0/16  to any in via rl0
add 1220 deny all from 172.16.0.0/12   to any in via rl0
add 1240 deny all from 127.0.0.0/8     to any in via rl0
add 1250 deny all from 0.0.0.0/8       to any in via rl0
add 1260 deny all from 169.254.0.0/16  to any in via rl0
add 1270 deny all from 192.0.2.0/24    to any in via rl0
add 1280 deny all from 204.152.64.0/23 to any in via rl0
add 1290 deny all from 224.0.0.0/3     to any in via rl0

# INTERNET: FRAG
add 1300 deny all from any to any frag in via rl0

# INTERNET: STATE STABLE
add 1400 deny ip from any to any established in via rl0

# DHCP: CLIENT
add 1500 allow udp from 10.12.0.1 to any 68 in via rl0 keep-state

# INTERNET: SERVICES IN
add 1600 pipe 30 ip from any to 201.6.24.17 20,21 in via rl0 setup limit
src-addr 2
add 1601 pipe 40 tcp from any to 201.6.24.17 25 in via rl0 
add 1602 pipe 50 ip from any to 201.6.24.17 53 in via rl0 setup limit
src-addr 2
add 1603 pipe 60 tcp from any to 201.6.24.17 80,443 in via rl0 setup
limit src-addr 2
add 1604 pipe 70 tcp from any to 201.6.24.17 995 in via rl0 setup limit
src-addr 2

# DENY / LOG
add 1800 deny log all from any to any out via rl0
add 1900 deny log all from any to any in via rl0

# LAN: NAT
add 2000 divert natd ip from any to any out via rl0
add 2001 allow ip from any to any




Adolfo Bravo Ferreira
Admninistrador de Redes / Analista de Segurança / Desenvolvedor
Grupo Ferreira Limitada
Telefone: 11 50628877
Adolfo Bravo Ferreira
Admninistrador de Redes / Analista de Segurança / Desenvolvedor
Grupo Ferreira Limitada
Telefone: 11 50628877



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1109507628.927.4.camel>