Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 5 Feb 2012 17:14:13 +0200
From:      =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= <kes-kes@yandex.ru>
To:        Bill Tillman <btillman99@yahoo.com>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   Re: HowTo easy use IPFW
Message-ID:  <675283668.20120205171413@yandex.ru>
In-Reply-To: <1328443513.34131.YahooMailNeo@web36505.mail.mud.yahoo.com>
References:  <67410574.20120202113314@yandex.ru> <4F2E274F.6000601@freebsd.org> <4F2E2C97.7000400@freebsd.org> <1328443513.34131.YahooMailNeo@web36505.mail.mud.yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
------------DC1E214C1A41B231
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Здравствуйте, Bill.

Вы писали 5 февраля 2012 г., 14:05:13:




BT> From: Julian Elischer <julian@freebsd.org>
BT> To: Коньков Евгений <kes-kes@yandex.ru> 
BT> Cc: freebsd-net@freebsd.org; freebsd-questions@freebsd.org 
BT> Sent: Sunday, February 5, 2012 2:15 AM
BT> Subject: Re: HowTo easy use IPFW

BT> On 2/4/12 10:53 PM, Julian Elischer wrote:
>> On 2/2/12 1:33 AM, Коньков Евгений wrote:
>>> this is the mine script which helps me keep my firewall very clean and safe.
>>> 
>>> It is easy to understand even if you have a thousands ruBTWles, I think  
>>> 
>>> please comment.
>>> 
>>> PS. If anybody may, please put into ports tree. thank you.
>> 
>> it would probably be get more response if it was in a file format we had heard of.. like tar..
>> 
>>   is a ".rar"  file?
BT> BTW the  "stuffit" expander on a Mac seems to be able to handle it..

BT> I can see that this would allow you to manage very complex rule
BT> sets while keeping errors under control.

BT> I find the syntax hard to follow however
BT> I guess that comes from it being a relatively simple perl script doing the work.

BT> it would be nice to get rid of the line numbers entirely in the specifications
BT> and allow the program to completely specify them using symbolic definitions instead.



>> 
>>> 
>>> _______________________________________________
>>> freebsd-net@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>> 
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>> 
>> 

BT> _______________________________________________
BT> freebsd-questions@freebsd.org mailing list
BT> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
BT> To unsubscribe, send any mail to
BT> "freebsd-questions-unsubscribe@freebsd.org"


BT> *.rar files have been aroung a long time. They are created by a
BT> program call Winrar. I never understood the need for this because
BT> every since M$ started including support for zip files built right
BT> into Windows Explorer there's no need for additional compression
BT> utility. There are some studies which show Winrar is a little more
BT> efficient with it's compression but with today's 2 TB hard drive
BT> prices, disk space is not such a premium anymore. FreeBSD actually
BT> has a port for it /"usr/ports/archivers/rar". I have found that
BT> this program is mostly used by hackers on the bittorent sites who
BT> steal and distribute copyrighted software and transmit trojans and
BT> viruses so it's been my habbit to avoid rar files. If someone I
BT> trust sends it I will open it but I don't plan on opening up this
BT> guy's ipfw rule set for that very reason. The other reason is that
BT> any rule set with 1,000 lines in it has got to be over kill. The
BT> simplest advice I could offer here is this:

BT> The only truly safe firewall ruleset consists of one rule and that is:

BT>  deny all from any to any

BT> If you must have Internet access, and we all do then the next simplest rule set would be:

BT> Build your kernel to have IPFW deny all traffic by default
BT> Allow only the ports you deem necessary for your needs
BT> Deny all other traffic

BT> After you've examined your log files for a few weeks, turn off
BT> logging because it's usually just a bunch or crap from IP
BT> addresses in China, Amsterdam, or maybe an odd one here and there
BT> coming from another source, trying to hack into your computer. I
BT> have found over many years that it doesn't pay anything to know
BT> about all the attempted attacks. It only pays to stop them cold
BT> and the above simple rule set will do just that.

yes, and I suggest same thing: first deny all and then allow only that
packets you want to pass. so I have next default rules:
65500     deny log ip from any to any
65535     deny ip from any to any

but for the router which has many interfaces and which has flat
firewall rules it is hard to keep it clean. Mine script allow to
separate rules for each interface to its own file

Simple example:
allow any trafic through vlan153

cat f_vlan153
#################
GOSUB
 099 SPLIT



#################
#IN  TRAFIC (100-499)
 490 allow in recv $iface


#################
#out  TRAFIC (500-899)
 890 allow out xmit $iface



#################
# >=900 rules are reserved for other stuff
will be expanded as:
00999   skipto 8000 ip from any to any via vlan153
08099   skipto 8100 ip from any to any in recv vlan153
08099   skipto 8500 ip from any to any out xmit vlan153
08099   deny log ip from any to any via vlan153
08099   skipto 65000 ip from any to any
08490   allow ip from any to any in recv vlan153
08499   deny log ip from any to any via vlan153
08499   skipto 65000 ip from any to any
08890   allow ip from any to any out xmit vlan153
08899   deny log ip from any to any via vlan153
08899   skipto 65000 ip from any to any

and more complex:
nat packets that are going through vlan407, queue incoming trafic so
each host in lan will be shaped to 2Mbit/s for example.
allow some subnet and host from lan to access internet:
 10.12.50.0/24 and 10.11.43.58

I.N.E.T - your external IP like '155.7.43.16'

cat f_pipes
c pipe 52 config bw 2097152bit/s mask dst-ip 0xffffffff gred 0.002/10/30/0.1
c queue 52 config pipe 12 queue 50 mask dst-ip 0xffffffff gred 0.002/10/30/0.1

cat f_vlan407
NAT ip I.N.E.T unreg_only reset


#################
GOSUB
 099 SPLIT



#################
#IN  TRAFIC (100-499)
 256 NAT all from any to I.N.E.T in recv $iface
 275 queue 52 all from any to any in recv $iface
 490 allow in recv $iface


#################
#out  TRAFIC (500-899)

 757 NAT 101 all from 10.12.50.0/24 to any out xmit $iface
 758 NAT 101 all from 10.11.8.12 to any out xmit $iface
 890 allow out xmit $iface



#################
# >=900 rules are reserved for other stuff

will be expanded as:
00999  skipto 23000 ip from any to any via vlan407
23099  skipto 23100 ip from any to any in recv vlan407
23099  skipto 23500 ip from any to any out xmit vlan407
23099  deny log ip from any to any via vlan407
23099  skipto 65000 ip from any to any
23256  nat 101 ip from any to I.N.E.T in recv vlan407
23275  queue 52 ip from any to any in recv vlan407
23490  allow ip from any to any in recv vlan407
23499  deny log ip from any to any via vlan407
23499  skipto 65000 ip from any to any
23757  nat 101 ip from 10.12.50.0/24 to any out xmit vlan407
23758  nat 101 ip from 10.11.8.12 to any out xmit vlan407
23890  allow ip from any to any out xmit vlan407
23899  deny log ip from any to any via vlan407
23899  skipto 65000 ip from any to any

# ipfw nat show config
ipfw nat 101 config ip I.N.E.T unreg_only reset

-- 
С уважением,
 Коньков                          mailto:kes-kes@yandex.ru
------------DC1E214C1A41B231--




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?675283668.20120205171413>