From owner-freebsd-security Sun Jun 17 13:48:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail3.home.nl (mail3.home.nl [213.51.129.227]) by hub.freebsd.org (Postfix) with ESMTP id 28E3B37B403 for ; Sun, 17 Jun 2001 13:48:22 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail3.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010617204710.FCUO29984.mail3.home.nl@windows>; Sun, 17 Jun 2001 21:47:10 +0100 Message-ID: <013401c0f76e$cbc8c690$0900a8c0@windows> From: "Marcel Dijk" To: "Crist Clark" Cc: "Evren Yurtesen" , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , "Jason DiCioccio" , References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com> <046b01c0f4e8$a32a9200$0900a8c0@windows> <3B28F35D.F9B0BA04@globalstar.com> <3B28F5EE.509B1261@globalstar.com> <05b201c0f598$25819fa0$0900a8c0@windows> <3B2A3C9B.2B10A6BF@globalstar.com> Subject: Re: IPFW almost works now -> stateful rules Date: Sun, 17 Jun 2001 22:47:59 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > # Just pass ICMP > > > add 700 allow icmp from MY_IP to any out via ed0 > > > # Allow ping replies and requests, and various error messages > > > add 800 allow icmp from any to MY_IP in via ed0 icmptypes 0,3,8,11,12 > > > # Pass everything on private LAN (do we have another interface? > > > # Otherwise, these rules are dangerous) > > > add 1000 allow ip from 192.168.0.0/16 to any > Sorry. I should have mentioned I wrote those off the top of my head. > I didn't pull them from a working firewall, and I did not test them. You were almost correct, there was one error wich I have now ironed out. > Of course, if you used the exact rules above, your NAT problem is > probably very simple... I didn't put in a divert(4) rule. ;) I'd > slip in, > > add divert natd ip from any to any via ed0 > > Between the two '400' rules above (which I also misnumbered in my haste). I did that but it still didn't work. But that was'n the reason, there was a problem in rule #1000 & #1100, I figured it out and now it works perfectly. I wanna that everyone for their help. Spificly Crist Clark, he gave me help that made it work. I was working on it for days and read quit a bit of articles and it still didn't work as it should and now it does, thanks. For those interested, here's the final working ruleset: # Pass loopback traffic add 100 allow ip from any to any via lo0 # Protect loopback address add 200 deny log ip from 127.0.0.0/8 to any add 300 deny log ip from any to 127.0.0.0/8 # Block spoofs # add 400 deny log ip from EXTERNAL_IP to any in via ed0 # Enable NATD add 425 divert 8668 ip from any to any via ed0 # Check dynamic rules add 450 check-state # Make dynamic entries for all outgoing traffic add 500 allow log tcp from EXTERNAL_IP to any keep-state out add 600 allow log udp from EXTERNAL_IP to any keep-state out # Services we offer to the world add 650 allow log tcp from any to EXTERNAL_IP 22,5617,10000 keep-state in # Just pass ICMP add 700 allow log icmp from EXTERNAL_IP to any out # Allow ping replies and requests, and various error messages add 800 allow log icmp from any to EXTERNAL_IP in # icmptypes 0,3,8,11,12 # Pass everything on private LAN (do we have another interface? # Otherwise, these rules are dangerous) add 1000 allow log all from 192.168.0.0/16 to any add 1100 allow log all from any to 192.168.0.0/16 # Log the rejects that have fallen through add 65000 deny log ip from any to any Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message