Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 8 May 2001 23:55:56 +0100
From:      Ian Chilton <mailinglist@ichilton.co.uk>
To:        freebsd-stable@freebsd.org
Subject:   IPFW Questions
Message-ID:  <20010508235556.A4274@woody.ichilton.co.uk>

next in thread | raw e-mail | index | archive | help
Hello,

I am running FreeBSD 4.3 from the stable tree.

I have a few ipfw questions I wonder if someone could help with. They
should be simple questions, but unfortunatly this mail got a little
long!  :)


1) Why are the same rules used twice?

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

# Network Address Translation.
case ${natd_enable} in
[Yy][Ee][Ss])
        if [ -n "${natd_interface}" ]; then
                ${fwcmd} add divert natd all from any to any via ${oif}
        fi
        ;;
esac

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}


2) What does this do?:

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

Will this let the machine itself and any NAT clients have unlimited
access to the internet, without letting people make connections to
services running on my gateway??
If not, how do I do this?  :)
If I am correct, this means I want to allow all packets but SYN
packets..?


3) What does this do?:
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag


4) The only service I want to be able to access from the outside is
SSH (+ the above full access from in outwards). Is this right??:
# Allow setup of incoming ssh
${fwcmd} add pass tcp from any to ${oip} 22 setup

# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup


5) What's that last rule above for?  Doesn't this contridict, or is it there for
a reason? (got it from rc.firewall)


6) I have an outside i/f ($oif with $oip) and 3 internal i/f's (ed1,
ed2 and ed3, which have $iif1, $iif2, $iif3 which have ip's $iip1,
$iip2, $iip3 and network $inet1, $inet2, $inet3).

WHat I want, is each host to have full NAT access, which I think I have
done with: ${fwcmd} add divert natd all from any to any via ${oif}
Correct?

But, I don't want them to talk to each other. Will this happen
automatically, or do I have to do something like:

${fwcmd} add deny all from ${inet1} to ${inet2}
${fwcmd} add deny all from ${inet2} to ${inet1}
..etc..

?


Thanks in Advance!


Bye for Now,

Ian


                                  \|||/ 
                                  (o o)
 /-----------------------------ooO-(_)-Ooo----------------------------\
 |  Ian Chilton                    E-Mail: ian@ichilton.co.uk         |
 |  IRC Nick: GadgetMan            Backup: ichilton@www.linux.org.uk  |
 |  ICQ: 16007717 / 104665842      Web   : http://www.ichilton.co.uk  |
 |--------------------------------------------------------------------|
 |       For people who like peace and quiet: a phoneless cord        |
 \--------------------------------------------------------------------/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010508235556.A4274>