Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 15 Feb 2002 12:22:17 -0500
From:      "Joe & Fhe Barbish" <barbish@a1poweruser.com>
To:        "FBSD" <freebsd-questions@FreeBSD.ORG>
Subject:   IPFW check-state rules
Message-ID:  <LPBBIGIAAKKEOEJOLEGOMEKHCHAA.barbish@a1poweruser.com>

next in thread | raw e-mail | index | archive | help
My FBSD box is a gateway to a small lan of 3 winboxs.
I have used a rule set based on the basic established/setup
rules for a simple Stateful Filtering firewall.
I changed my rules to use advanced Stateful Filtering based
on check-state/keep-state. The new rules work fine for every
thing originating from the FBSD gateway box, but anything
originating from the lan needing internet access does not work
and generates this error message
Failed to write packet back(permission denied).

What am I missing?

Below is my rule set, please review.

oif="tun0"
odns1="208.226.115.111"      # ISP's dns server 1 IP address
odns2="208.226.115.112"      # ISP's dns server 2 IP address
oip="110.170.155.117/24"     # For testing from standalone pc

iif="xl0"                    # Nic card
iip="10.100.100.1/24"        # IP address range for LAN Nic card


${fwcmd} add 00010 divert natd all from any to any via ${oif}


# Internal gateway housekeeping
${fwcmd} add 00100 allow ip from any to any via lo0  # allow all localhost
${fwcmd} add 00110 allow ip from any to any via xl0  # allow all local LAN
${fwcmd} add 00120 allow ip from any to any via tun1 # allow all dialin call
1
${fwcmd} add 00130 allow ip from any to any via tun2 # allow all dialin call
2
${fwcmd} add 00150 deny  ip from any to 127.0.0.0/8  # deny use of localhost
IP
${fwcmd} add 00155 deny  ip from 127.0.0.0/8 to any  # deny use of localhost
IP



########  outbound section  ############################################

${fwcmd} add 00500 check-state


# Allow out www function
${fwcmd} add 00600 allow tcp  from ${iip} to any 80      out via ${oif}
setup keep-state

# Allow out access to my ISP's Domain name server.
${fwcmd} add 00610 allow tcp  from me to ${odns1} 53 out via ${oif} setup
keep-state
${fwcmd} add 00611 allow udp  from me to ${odns1} 53 out via ${oif}
keep-state
${fwcmd} add 00615 allow tcp  from me to ${odns2} 53 out via ${oif} setup
keep-state
${fwcmd} add 00616 allow udp  from me to ${odns2} 53 out via ${oif}
keep-state

# Allow out access to internet Domain name server.
${fwcmd} add 00618 allow tcp  from me to any      53 out via ${oif} setup
keep-state
${fwcmd} add 00619 allow udp  from me to any      53 out via ${oif}
keep-state

# Allow out email function
${fwcmd} add 00630 allow tcp  from me to any 25,110  out via ${oif} setup
keep-state

# Allow out FBSD CVSUP function
${fwcmd} add 00640 allow tcp  from me to any 5999        out via ${oif}
setup keep-state

# Allow out ping
${fwcmd} add 00650 allow icmp from me to any         out via ${oif}
keep-state

# Allow out FTP
${fwcmd} add 00670 allow tcp  from me to any 21      out via ${oif} setup
keep-state

# Allow out TELNET
${fwcmd} add 00690 allow tcp  from me to any 23      out via ${oif} setup
keep-state

# Allow out Network Time Protocol (NTP) queries
${fwcmd} add 00695 allow udp  from me to any 123     out via ${oif}
keep-state


########  inbound section  ############################################

# Allow in & Log TCP FTP login from public internet
${fwcmd} add 00700 allow log tcp from ${oip} to me 21 in via ${oif} setup
keep-state

# Allow in ssh function
${fwcmd} add 00710 allow log tcp from ${oip} to me 22 in via ${oif} setup
keep-state

# Allow in & Log TCP telnet login
${fwcmd} add 00720 allow tcp from ${oip} to me 23 in via ${oif} setup
keep-state

# Allow in www
${fwcmd} add 00730 allow tcp from ${oip} to me 80 in via ${oif} setup
keep-state

# This sends a RESET to all ident packets.
${fwcmd} add 00740 reset     tcp from any    to me 113   in via ${oif}

# Stop & log spoofing Attack attempts.
# Examine incoming traffic for packets with both a source and destination
# IP address in your local domain as per CIAC prevention alert.
${fwcmd} add 00745 deny log ip from me to me  in via ${oif}

# Reject & Log all setup of incoming connections from the outside
${fwcmd} add 00800 deny log all from any to any      in via ${oif}

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
${fwcmd} add 05000 deny log logamount 500 ip from any to any















To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOMEKHCHAA.barbish>