Date: Sun, 17 Jun 2001 22:47:59 +0200 From: "Marcel Dijk" <nascar24@home.nl> To: "Crist Clark" <crist.clark@globalstar.com> Cc: "Evren Yurtesen" <yurtesen@ispro.net.tr>, "Antoine Beaupre (LMC)" <Antoine.Beaupre@ericsson.ca>, "Thomas T. Veldhouse" <veldy@veldy.net>, "Jason DiCioccio" <Jason.DiCioccio@Epylon.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: IPFW almost works now -> stateful rules Message-ID: <013401c0f76e$cbc8c690$0900a8c0@windows> References: <Pine.BSF.4.33.0106130001350.63354-100000@finland.ispro.net.tr> <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com> <046b01c0f4e8$a32a9200$0900a8c0@windows> <3B28F35D.F9B0BA04@globalstar.com> <3B28F5EE.509B1261@globalstar.com> <05b201c0f598$25819fa0$0900a8c0@windows> <3B2A3C9B.2B10A6BF@globalstar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
<SNIP rules> > > > # Just pass ICMP > > > add 700 allow icmp from MY_IP to any out via ed0 > > > # Allow ping replies and requests, and various error messages > > > add 800 allow icmp from any to MY_IP in via ed0 icmptypes 0,3,8,11,12 > > > # Pass everything on private LAN (do we have another interface? > > > # Otherwise, these rules are dangerous) > > > add 1000 allow ip from 192.168.0.0/16 to any </SNIP> > Sorry. I should have mentioned I wrote those off the top of my head. > I didn't pull them from a working firewall, and I did not test them. You were almost correct, there was one error wich I have now ironed out. > Of course, if you used the exact rules above, your NAT problem is > probably very simple... I didn't put in a divert(4) rule. ;) I'd > slip in, > > add divert natd ip from any to any via ed0 > > Between the two '400' rules above (which I also misnumbered in my haste). I did that but it still didn't work. But that was'n the reason, there was a problem in rule #1000 & #1100, I figured it out and now it works perfectly. I wanna that everyone for their help. Spificly Crist Clark, he gave me help that made it work. I was working on it for days and read quit a bit of articles and it still didn't work as it should and now it does, thanks. For those interested, here's the final working ruleset: # Pass loopback traffic add 100 allow ip from any to any via lo0 # Protect loopback address add 200 deny log ip from 127.0.0.0/8 to any add 300 deny log ip from any to 127.0.0.0/8 # Block spoofs # add 400 deny log ip from EXTERNAL_IP to any in via ed0 # Enable NATD add 425 divert 8668 ip from any to any via ed0 # Check dynamic rules add 450 check-state # Make dynamic entries for all outgoing traffic add 500 allow log tcp from EXTERNAL_IP to any keep-state out add 600 allow log udp from EXTERNAL_IP to any keep-state out # Services we offer to the world add 650 allow log tcp from any to EXTERNAL_IP 22,5617,10000 keep-state in # Just pass ICMP add 700 allow log icmp from EXTERNAL_IP to any out # Allow ping replies and requests, and various error messages add 800 allow log icmp from any to EXTERNAL_IP in # icmptypes 0,3,8,11,12 # Pass everything on private LAN (do we have another interface? # Otherwise, these rules are dangerous) add 1000 allow log all from 192.168.0.0/16 to any add 1100 allow log all from any to 192.168.0.0/16 # Log the rejects that have fallen through add 65000 deny log ip from any to any Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?013401c0f76e$cbc8c690$0900a8c0>