Date: Tue, 8 May 2001 18:01:14 -0500 From: "David W. Chapman Jr." <dwcjr@inethouston.net> To: "Ian Chilton" <ian@ichilton.co.uk>, <freebsd-stable@freebsd.org> Subject: Re: IPFW Questions Message-ID: <033301c0d812$c84749e0$931576d8@inethouston.net> References: <20010508235556.A4274@woody.ichilton.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
I believe it is because different sections refer to different setups
> 1) Why are the same rules used twice?
>
> # Stop RFC1918 nets on the outside interface
> ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
> ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
> ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> # on the outside interface
> ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
> ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
> ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
> ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
> ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
>
> # Network Address Translation.
> case ${natd_enable} in
> [Yy][Ee][Ss])
> if [ -n "${natd_interface}" ]; then
> ${fwcmd} add divert natd all from any to any via ${oif}
> fi
> ;;
> esac
>
> # Stop RFC1918 nets on the outside interface
> ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
> ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
> ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> # on the outside interface
> ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
> ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
> ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
> ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
> ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
>
it allows access if the ip packet has an established flag. Basically if a
connection has been established, allow it to continue
> 2) What does this do?:
>
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
>
> Will this let the machine itself and any NAT clients have unlimited
> access to the internet, without letting people make connections to
> services running on my gateway??
> If not, how do I do this? :)
> If I am correct, this means I want to allow all packets but SYN
> packets..?
>
Allows fragmented packets just as the documentation says
> 3) What does this do?:
> # Allow IP fragments to pass through
> ${fwcmd} add pass all from any to any frag
>
>
> 4) The only service I want to be able to access from the outside is
> SSH (+ the above full access from in outwards). Is this right??:
> # Allow setup of incoming ssh
> ${fwcmd} add pass tcp from any to ${oip} 22 setup
>
> # Reject&Log all setup of incoming connections from the outside
> ${fwcmd} add deny log tcp from any to any in via ${oif} setup
>
> # Allow setup of any other TCP connection
> ${fwcmd} add pass tcp from any to any setup
>
>
> 5) What's that last rule above for? Doesn't this contridict, or is it
there for
> a reason? (got it from rc.firewall)
>
>
> 6) I have an outside i/f ($oif with $oip) and 3 internal i/f's (ed1,
> ed2 and ed3, which have $iif1, $iif2, $iif3 which have ip's $iip1,
> $iip2, $iip3 and network $inet1, $inet2, $inet3).
>
> WHat I want, is each host to have full NAT access, which I think I have
> done with: ${fwcmd} add divert natd all from any to any via ${oif}
> Correct?
>
> But, I don't want them to talk to each other. Will this happen
> automatically, or do I have to do something like:
>
> ${fwcmd} add deny all from ${inet1} to ${inet2}
> ${fwcmd} add deny all from ${inet2} to ${inet1}
> ..etc..
>
you should probably go through the ipfw man page thoroughly so you can have
a better understanding of what is going on.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?033301c0d812$c84749e0$931576d8>