Date: Wed, 21 Jan 2004 15:23:43 -0000 From: Thomas Wolf <tw@wsf.at> To: Marc Silver <marcs@draenor.org>, freebsd-ipfw@freebsd.org Subject: Re: dialup firewalling Message-ID: <20040121162343.45gqrbzfytkwc@.mailhost.wsf.at>
next in thread | raw e-mail | index | archive | help
Marc Silver <marcs@draenor.org> schrieb: > Hi guys and gals, > > The short story: I wrote an article a while back about dialup > firewalling with FreeBSD, and after an update was made to the article a > few months back by another individual it's been slightly broken. > > I am currently working on fixing this document and get it more up to > date, and was hoping to run the following ruleset past all of you. The > problem is mostly that I no longer have a dialup connection to test with > this, so I was hoping to ask opinions on whether or not the following > rulebase would work: > > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > # Divert all packets through the tunnel interface. > $fwcmd add divert natd all from any to any via tun0 > > # Allow all connections that we initiate, and keep their state, > # but deny established connections that don't have a dynamic rule. > $fwcmd add check-state > $fwcmd add allow ip from me to any keep-state > $fwcmd add deny tcp from any to any established > > # Allow internet users to connect to the port 22 and 80 on my machine. > # This example specifically allows connections to the sshd and a > # webserver. > $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state > > # Allow ICMP packets: remove type 8 if you don't want your host > # to be pingable. > $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 > > # Deny and log everything else. > $fwcmd add deny log ip from any to any > > Now, if my knowledge of ipfw2 is correct, this should allow everything > out, and should only allow port 22 and 80 in. It'll also allow ICMP. > Simple enough, but am I correct in my assumptions? No, it will not work. keep-state rules and natd are difficult to handle. In your setup, traffic from a box in your lan ($lanclientip) with a destination on the internet ($targetip), going via your gateway ($gatewayip) will be handled like this: original packet: $lanclientip -> $targetip on leaving the gateway, packets are going through the divert rule, now the packet has $gatewayip -> $targetip. The keep-state rule now creates a temporary rule for '$gatewayip <-> $targetip' and allows the packet out. The response from $targetip gets 'natted first so when it reaches the check-state rule, it already has $targetip -> $lanclientip and will not match the temporary rule. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040121162343.45gqrbzfytkwc>