From owner-freebsd-stable Tue May 8 16: 1:14 2001 Delivered-To: freebsd-stable@freebsd.org Received: from leviathan.inethouston.net (216-118-21-146.pdq.net [216.118.21.146]) by hub.freebsd.org (Postfix) with ESMTP id 7701E37B422 for ; Tue, 8 May 2001 16:01:09 -0700 (PDT) (envelope-from dwcjr@inethouston.net) Received: from dwcjr (DWCJR.inethouston.net [216.118.21.147]) by leviathan.inethouston.net (Postfix) with ESMTP id E77D310F40F; Tue, 8 May 2001 18:01:13 -0500 (CDT) Message-ID: <033301c0d812$c84749e0$931576d8@inethouston.net> From: "David W. Chapman Jr." To: "Ian Chilton" , References: <20010508235556.A4274@woody.ichilton.co.uk> Subject: Re: IPFW Questions Date: Tue, 8 May 2001 18:01:14 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I believe it is because different sections refer to different setups > 1) Why are the same rules used twice? > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} > ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes > RESERVED-1, > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) > # on the outside interface > ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} > ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} > ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} > ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} > ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} > > # Network Address Translation. > case ${natd_enable} in > [Yy][Ee][Ss]) > if [ -n "${natd_interface}" ]; then > ${fwcmd} add divert natd all from any to any via ${oif} > fi > ;; > esac > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} > ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} > ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes > RESERVED-1, > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) > # on the outside interface > ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} > ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} > ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} > ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} > ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} > it allows access if the ip packet has an established flag. Basically if a connection has been established, allow it to continue > 2) What does this do?: > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > Will this let the machine itself and any NAT clients have unlimited > access to the internet, without letting people make connections to > services running on my gateway?? > If not, how do I do this? :) > If I am correct, this means I want to allow all packets but SYN > packets..? > Allows fragmented packets just as the documentation says > 3) What does this do?: > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag > > > 4) The only service I want to be able to access from the outside is > SSH (+ the above full access from in outwards). Is this right??: > # Allow setup of incoming ssh > ${fwcmd} add pass tcp from any to ${oip} 22 setup > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup > > > 5) What's that last rule above for? Doesn't this contridict, or is it there for > a reason? (got it from rc.firewall) > > > 6) I have an outside i/f ($oif with $oip) and 3 internal i/f's (ed1, > ed2 and ed3, which have $iif1, $iif2, $iif3 which have ip's $iip1, > $iip2, $iip3 and network $inet1, $inet2, $inet3). > > WHat I want, is each host to have full NAT access, which I think I have > done with: ${fwcmd} add divert natd all from any to any via ${oif} > Correct? > > But, I don't want them to talk to each other. Will this happen > automatically, or do I have to do something like: > > ${fwcmd} add deny all from ${inet1} to ${inet2} > ${fwcmd} add deny all from ${inet2} to ${inet1} > ..etc.. > you should probably go through the ipfw man page thoroughly so you can have a better understanding of what is going on. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message