Date: Tue, 22 Feb 2005 15:29:36 -0500 From: sn1tch <dot.sn1tch@gmail.com> To: freebsd-ipfw@freebsd.org Subject: IPFW Ruleset Message-ID: <a82b971905022212292e3e2a59@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I'm trying to setup a stateful ruleset for my bsd machine, I have natd
running and working, but for the life of me I cannot get to any
outside websites. I know DNS is getting blocked but it's by one of the
last rules denying everything else=E2=80=A6and I cant seem to get the firew=
all
to let it pass on.. Here is what I have (which is right out of the
FreeBSD handbook):
=20
// Begin=20
case ${firewall_type} in=20
[Nn][Ee][Tt])=20
# Outside interface network and netmask and ip
oif=3D"fxp0"
onet=3D"111.111.111.0"
omask=3D"255.255.255.0"
oip=3D"111.111.111.45"
=20
# Inside interface network and netmask and ip
iif=3D"fxp1"
inet=3D"10.0.0.0"
imask=3D"255.0.0.0"
iip=3D"10.0.0.1"
=20
# DNS servers
dns1=3D"111.111.111.115"
=20
skip=3D"skipto 800"
=20
cmd=3D"ipfw -q add"
=20
setup_loopback
=20
#################################################################
# No restrictions on Inside Lan Interface for private network
# Change xl0 to your Lan Nic card interface name
#################################################################
$cmd 005 allow all from any to any via $iif
=20
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0
=20
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $oif
=20
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state
=20
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################
# Allow out access to my ISP.s Domain name server.
# x.x.x.x must be the IP address of your ISP.s DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to $dns1 53 out via $oif setup keep-state
=20
# Allow out access to my ISP.s DHCP server for cable/DSL configurations.
$cmd 030 $skip udp from any to 111.111.111.116 67 out via $oif keep-state
=20
# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $oif setup keep-state
=20
# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $oif setup keep-state
=20
# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $oif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $oif setup keep-state
=20
# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $oif setup keep-state uid root
=20
# Allow out ping
$cmd 080 $skip icmp from any to any out via $oif keep-state
=20
# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $oif setup keep-state
=20
# Allow out nntp news (i.e. news groups)
$cmd 100 $skip tcp from any to any 119 out via $oif setup keep-state
=20
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $oif setup keep-state
=20
# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $oif setup keep-state
=20
# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $oif keep-state
=20
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $oif #RFC 1918 private =
IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $oif #RFC 1918 private I=
P
$cmd 302 deny all from 10.0.0.0/8 to any in via $oif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $oif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $oif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $oif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $oif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $oif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $oif #Class D & E multicas=
t
=20
# Deny ident
$cmd 315 deny tcp from any to any 113 in via $oif
=20
# Deny all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $oif
$cmd 321 deny tcp from any to any 138 in via $oif
$cmd 322 deny tcp from any to any 139 in via $oif
$cmd 323 deny tcp from any to any 81 in via $oif
=20
# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $oif
=20
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $oif
=20
# Allow traffic in from ISP.s DHCP server. This rule must contain
# the IP address of your ISP.s DHCP server as it.s the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for .user ppp. type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
$cmd 360 allow udp from 111.111.111.116 to any 68 in via $oif keep-state
=20
# Allow in standard www function because I have apache server
$cmd 370 allow tcp from any to me 80 in via $oif setup limit src-addr 2
$cmd 371 allow tcp from any to me 443 in via $oif setup limit src-addr 10
=20
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 21 in via $oif setup limit src-addr 2
$cmd 385 allow tcp from any to me 22 in via $oif setup limit src-addr 2
=20
# Reject & Log all unauthorized incoming connections from the public Intern=
et
$cmd 400 deny log all from any to any in via $oif
=20
# Reject & Log all unauthorized out going connections to the public Interne=
t
$cmd 450 deny log all from any to any out via $oif
=20
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $oif
$cmd 801 allow ip from any to any
=20
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
=20
;;
=20
// End
=20
=20
Thanks in advance for any help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a82b971905022212292e3e2a59>