Date: Thu, 01 Nov 2007 15:04:35 +0100 From: deeptech71@gmail.com To: freebsd-questions@freebsd.org Subject: Please check my IPFW ruleset Message-ID: <4729DCF3.4000407@gmail.com>
next in thread | raw e-mail | index | archive | help
[resending, doesn't seem to have gotten through] I'm making some ipfw rules, and I would appreciate if someone could check these for me. My intention is to create a replacement for a hardware router, which basically works by allowing all outbound traffic, blocking all unauthorized/unrequested inbound traffic, and has a setting (the so called DMZ) to redirect all the unauthorized/unrequested packets to a local computer. Plus I want to add something like remote telnet/ssh capabilities to override the DMZ. ::::::::::::::::::::| ipfw.rules |:::::::::::::::::::: #!/bin/sh dns="195.228.240.249,195.228.242.180" lan="192.168.123.0/24" ext="tun0" int="rl0" ipfw="ipfw -q" add="$ipfw add" allow="$add allow" block="$add deny" nat="$add divert natd" check="$add check-state" pipe="$add pipe" fa="from any" ta="to any" fata="$fa $ta" reserved="192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3" ######################################## $ipfw -f flush $allow all $fata via lo0 $allow all $fata via $int ##### INBOUND ##### $block all $fa to $reserved in via $ext # ISP fuckup? $nat all $fata in via $ext $check $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext # :: DEFINE SOME INBOUND SERVICES HERE :: #$allow tcp $fa to me 80 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 22 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 23 in via $ext setup limit src-addr 4 $block all $fata in via $ext ##### OUTBOUND ##### # :: DEFINE SOME RESTRICTIONS HERE ? :: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext $block $fata ::::::::::::::::::::| eof ipfw.rules |:::::::::::::::::::: OK, questions... # ISP fuckup? - does it make sense to defend against my ISP hacking me? What does "divert natd" actually do? Does it only change the IP header? Can I move the three lines $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext to ahead of $nat all $fata in via $ext ? I'm curious about this one: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext For an outbound packet, rules should be keep-state, divert, allow, in this order, as far as I know. What about these lines? Uhm, ed0 is my network card doing PPPoE. How do I allow it to do PPPoE traffic only? Did I miss anything? Some other IPFW questions: deny ip == deny all? Why do I have to write "from any to any" all the time, when it just means "independently of source and destination"? Why can't I write just "drop all"? Thank you very very much in advance :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4729DCF3.4000407>