From owner-freebsd-questions@FreeBSD.ORG Thu Nov 1 14:11:38 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4647816A41A for ; Thu, 1 Nov 2007 14:11:38 +0000 (UTC) (envelope-from deeptech71@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.191]) by mx1.freebsd.org (Postfix) with ESMTP id BDEEB13C4AC for ; Thu, 1 Nov 2007 14:11:37 +0000 (UTC) (envelope-from deeptech71@gmail.com) Received: by fk-out-0910.google.com with SMTP id b27so554028fka for ; Thu, 01 Nov 2007 07:11:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; bh=pxC96YfYSAT4O6uq+0ScyhNSwbg7e14fPd5JAdHnUJc=; b=h08+Tl8bmtkK3DmNATLG9B0O98sdlRfljhEsYQeeSVmr8mEFFSsVeNF6gLb9wwY/LkJfbVVYMJnnQglioh+RSStTtXvrLp1l0Qy7HkXadee8R6OMbzM8DaNb2isbigpvl531aYAW80hRWKMFjzGnb0s+7ib+9p9kUqKTJ+ilmzg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=fw1U1JZG3gPcVQ7aiuwehRCc8GY5xIHzoUOO3TXc3g+1A/oScN+EIloz3txWCA1WTG1q1Jq2FhSMtroxr1EO2rRIShRD2DbyriME4mIzAik0r+geANNBWfnzWBJt/jlQZJORL0i8FWiC6hvXxK98qn5nUtgcMfmuuTtLUtchfPA= Received: by 10.82.187.16 with SMTP id k16mr825629buf.1193925893716; Thu, 01 Nov 2007 07:04:53 -0700 (PDT) Received: from ?192.168.123.1? ( [84.0.100.168]) by mx.google.com with ESMTPS id g28sm3415730fkg.2007.11.01.07.04.52 (version=SSLv3 cipher=RC4-MD5); Thu, 01 Nov 2007 07:04:53 -0700 (PDT) Message-ID: <4729DCF3.4000407@gmail.com> Date: Thu, 01 Nov 2007 15:04:35 +0100 From: deeptech71@gmail.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071009 SeaMonkey/1.1.5 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Please check my IPFW ruleset X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Nov 2007 14:11:38 -0000 [resending, doesn't seem to have gotten through] I'm making some ipfw rules, and I would appreciate if someone could check these for me. My intention is to create a replacement for a hardware router, which basically works by allowing all outbound traffic, blocking all unauthorized/unrequested inbound traffic, and has a setting (the so called DMZ) to redirect all the unauthorized/unrequested packets to a local computer. Plus I want to add something like remote telnet/ssh capabilities to override the DMZ. ::::::::::::::::::::| ipfw.rules |:::::::::::::::::::: #!/bin/sh dns="195.228.240.249,195.228.242.180" lan="192.168.123.0/24" ext="tun0" int="rl0" ipfw="ipfw -q" add="$ipfw add" allow="$add allow" block="$add deny" nat="$add divert natd" check="$add check-state" pipe="$add pipe" fa="from any" ta="to any" fata="$fa $ta" reserved="192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3" ######################################## $ipfw -f flush $allow all $fata via lo0 $allow all $fata via $int ##### INBOUND ##### $block all $fa to $reserved in via $ext # ISP fuckup? $nat all $fata in via $ext $check $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext # :: DEFINE SOME INBOUND SERVICES HERE :: #$allow tcp $fa to me 80 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 22 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 23 in via $ext setup limit src-addr 4 $block all $fata in via $ext ##### OUTBOUND ##### # :: DEFINE SOME RESTRICTIONS HERE ? :: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext $block $fata ::::::::::::::::::::| eof ipfw.rules |:::::::::::::::::::: OK, questions... # ISP fuckup? - does it make sense to defend against my ISP hacking me? What does "divert natd" actually do? Does it only change the IP header? Can I move the three lines $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext to ahead of $nat all $fata in via $ext ? I'm curious about this one: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext For an outbound packet, rules should be keep-state, divert, allow, in this order, as far as I know. What about these lines? Uhm, ed0 is my network card doing PPPoE. How do I allow it to do PPPoE traffic only? Did I miss anything? Some other IPFW questions: deny ip == deny all? Why do I have to write "from any to any" all the time, when it just means "independently of source and destination"? Why can't I write just "drop all"? Thank you very very much in advance :)