Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Jun 2004 14:44:11 -0400
From:      "fbsd_user" <fbsd_user@a1poweruser.com>
To:        "Freebsd-Ipfw@Freebsd. Org" <freebsd-ipfw@freebsd.org>, "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG>
Cc:        freebsd-ipfw.20.openmacews@spamgourmet.com
Subject:   ipfw + natd + stateful rules. For the archives
Message-ID:  <MIEPLLIBMLEEABPDBIEGEEOFGBAA.fbsd_user@a1poweruser.com>
In-Reply-To: <40C8EA33.2040205@nyc.rr.com>

next in thread | previous in thread | raw e-mail | index | archive | help
For the list's archives.

Here is everything you need for ipfw/natd/stateful.

Add these statements to kernel source and compile kernel to enable

# Enable kernel IPFW.
#
option          IPFIREWALL                  # Adds filtering code
into kernel
option          IPFIREWALL_VERBOSE          # enable logging thru
syslogd(8)
option          IPFIREWALL_VERBOSE_LIMIT=5  # stop attack via syslog
flooding
option          IPDIVERT                    # needed to use natd
from IPFW



/etc/rc.conf
# Required For IPFW  kernel firewall support
firewall_enable="YES"              # Start daemon
firewall_script="/etc/ipfw.rules"  # run my custom rules if present
                                   # sh /etc/ipfw.rules will load
                                   # new rules file after editing.
firewall_logging="YES"             # Enable events logging
natd_enable="YES"                  # Required For IPFW nat function
natd_interface="rl0"               # interface name of public
internet Nic
natd_flags="-dynamic -m"           #-m = preserve port numbers if
possible



Here is the /etc/ipfw.rules  file without comments.


#!/bin/sh

cmd="ipfw -q add"
skip="skipto 500"
pif=rl0
ks="keep-state"
good_tcpo="22,25,37,43,53,80,443,110,119"

ipfw -q -f flush

$cmd 002 allow all from any to any via xl0  # exclude Lan traffic
$cmd 003 allow all from any to any via lo0  # exclude loopback
traffic

$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state

# Authorized outbound packets
$cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks
$cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any  out via $pif
$cmd 135 $skip udp from any to any 123 out via $pif $ks


# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918
private IP
$cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918
private IP
$cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918
private IP
$cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
$cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
$cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP
auto-config
$cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved
for doc's
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun
cluster interconnect
$cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D
& E multicast

# Authorized inbound packets
$cmd 400 allow udp from xx.70.207.54 to any 68 in $ks
$cmd 420 allow tcp from any to me 80 in via $pif setup limit
src-addr 1
$cmd 425 allow icmp from any to any icmptypes 0,3,11,12  in via $pif


$cmd 450 deny log ip from any to any

# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any

######################## end of rules  ##################





Here is the /etc/ipfw.rules  file with comments.

#!/bin/sh

################ Start of IPFW rules file
###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="rl0"     # public interface name of Nic card
              # facing the public internet



#################################################################
# No restrictions on Inside Lan Interface for private network
# Not needed unless you have Lan.
# Change xl0 to your Lan Nic card interface name
#################################################################
$cmd 005 allow all from any to any via xl0

#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0

$cmd 014 divert natd ip from any to any in via $pif

#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
#################################################################
$cmd 015 check-state

#################################################################
# Interface facing Public internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public internet.
#################################################################

# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to xx.168.240.2 53 out via $pif setup
keep-state
$cmd 021 $skip udp from any to xx.168.240.2 53 out via $pif
keep-state

# Allow out access to my ISP's DHCP server for cable/DSL
configurations.
$cmd 030 $skip udp from any to xx.70.207.54 67 out via $pif
keep-state

# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid
root

# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif

# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news (IE: news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state

# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state

#################################################################
# Interface facing Public internet (Inbound Section)
# Interrogate packets originating from the public internet
# destine for this gateway server or the private network.
#################################################################

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918
private IP
$cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918
private IP
$cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918
private IP
$cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
$cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
$cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP
auto-config
$cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved
for doc's
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun
cluster interconnect
$cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D
& E multicast

# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81  in via $pif

# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public internet. This is the same IP address you captured
# and used in the outbound section.
$cmd 360 allow udp from xx.70.207.54 to any 68 in via $pif
keep-state

# Allow in standard www function because I have apache server
$cmd 370 allow tcp from any to me 80 in via $pif setup limit
src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit
src-addr 2

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 390 allow tcp from any to me 23 in via $pif setup limit
src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit
src-addr 2

# Allow in icmp responces
$cmd 390 allow icmp from any to any icmptypes 0,3,11,12  in via $pif

# Reject & Log all unauthorized incoming connections from the public
internet
$cmd 400 deny log all from any to any in via $pif

# Reject & Log all unauthorized out going connections to the public
internet
$cmd 450 deny log all from any to any out via $pif

# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any



################ End of IPFW rules file
###############################










Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGEEOFGBAA.fbsd_user>