Date: Mon, 24 Oct 2011 10:47:43 +0200 From: Alessandro Spinella <a.spinella@rfc1925.net> To: freebsd-questions@freebsd.org Subject: Re: Configuring IPFW Message-ID: <4EA5262F.4010400@rfc1925.net> In-Reply-To: <BLU0-SMTP235296774800AA3D588B52193E90@phx.gbl> References: <BLU0-SMTP235296774800AA3D588B52193E90@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/22/11 15:56, Carmel wrote: > I am attempting to set up a firewall using IPFW with a stateful > behavior. > > While I have investigated how to set up these rules, I have run into > conflicting opinions as to whether to all or deny "established" > behavior. > hi, Carmel the point is : any pkt that carries ACK flag MUST be dropped UNLESS belnonging to an established session as dictaded in a FOLLOWING rule that use keep-state keyword. look at this example # generic header ipfw add pass ip from any to any via lo0 ipfw add deny log ip from any to 127.0.0.0/8 ipfw add deny log ip from 127.0.0.0/8 to any #ipfw add deny log ip from any to 192.168.0.0/16 ipfw add deny log ip from any to 172.16.0.0/12 ipfw add deny log ip from any to 10.0.0.0/8 ipfw add deny log ip from any to 0.0.0.0/8 ipfw add deny log ip from any to 169.254.0.0/16 ipfw add deny log ip from any to 192.0.2.0/24 ipfw add deny log ip from any to 204.152.64.0/23 ipfw add deny log ip from any to 224.0.0.0/3 ipfw add deny log ip from any to any frag # allow any pkt with ACK flag set *if and only if* it matches an # established connection ipfw add check-state # and deny all other *claiming* to belonging to a "valid" connection ipfw add deny log tcp from any to A.B.C.D/M established # router/firewall mgmt exception ipfw add pass tcp from me to 192.168.43.0/24 33 setup keep-state ipfw add pass udp from me to 192.168.43.0/24 53, 123, 514 ipfw add pass tcp from 192.168.43.0/24 to me 22 setup keep-state ipfw add pass udp from 192.168.43.0/24 123 to me ipfw add pass udp from 192.168.43.0/24 53 to me ipfw add pass tcp from 192.168.43.0/24 to 192.168.35.1 23 setup keep-state ipfw add pass tcp from A.B.C.D/M to 192.168.35.1 23 setup keep-state ipfw add deny log all from any to 192.168.0.0/16 # # operational hosts # # wikileaks : web + full mail ipfw add pass tcp from any to A.B.C.E 22 setup keep-state ipfw add pass tcp from any to A.B.C.E 25 setup keep-state ipfw add pass tcp from any to A.B.C.E 80 setup keep-state ipfw add pass tcp from any to A.B.C.E 110 setup keep-state ipfw add pass tcp from any to A.B.C.E 143 setup keep-state ipfw add pass tcp from any to A.B.C.E 443 setup keep-state ipfw add pass tcp from any to A.B.C.E 465 setup keep-state ipfw add pass tcp from any to A.B.C.E 993 setup keep-state ipfw add pass tcp from any to A.B.C.E 995 setup keep-state # jkwolf : dns + ntp ipfw add pass tcp from any to A.B.C.F 22 setup keep-state ipfw add pass tcp from G.H.J.K/N to A.B.C.F 53 setup keep-state ipfw add pass udp from any 1024-65535 to A.B.C.F 53 ipfw add pass udp from any 53 to A.B.C.D/M 1024-65535 ipfw add pass udp from any 123 to A.B.C.D/M 123 ipfw add pass udp from A.B.C.F 1024-65535 to any 53 # generic tail ipfw add pass tcp from A.B.C.D/M to any setup keep-state ipfw add pass udp from A.B.C.D/M to any ipfw add pass icmp from any to A.B.C.D/M icmptypes 0,3,8,11 ipfw add pass icmp from A.B.C.D/M to any icmptypes 0,3,8,11 ipfw add deny log ip from any to any Alessandro
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EA5262F.4010400>