Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 8 May 2001 19:28:32 -0400 (EDT)
From:      Marius <marius@mail.communityconnect.com>
To:        Ian Chilton <ian@ichilton.co.uk>
Cc:        freebsd-stable@freebsd.org, questions@FreeBSD.org
Subject:   Re: IPFW Questions
Message-ID:  <Pine.BSF.4.21.0105081901550.13442-100000@utterlux.hq.communitconnect.com>
In-Reply-To: <20010508235556.A4274@woody.ichilton.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help

Redirected to Questions...


*snip*
> 1) Why are the same rules used twice?
*snip*
	To catch packets both before and after NAT translation.  The NAT
rule in between them changes the source or destination of some packets
that pass through it.  So we check it twice.



> 2) What does this do?:
> 
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established

This allows any connection that is on-going to continue going.  So in
one rule you allow yor internal net to make outgoing
connections.  And this rule allows all the packets that were started by that 
connection to pass through the firewall also.  It is a good thing.


  
> Will this let the machine itself and any NAT clients have unlimited
> access to the internet, without letting people make connections to
> services running on my gateway??  

That is _part_ of the ruleset needed to do that.  The rest of it you
mention below.


> 
> 3) What does this do?:
> # Allow IP fragments to pass through
> ${fwcmd} add pass all from any to any frag


It allows fragment IP packets to pass through.  If all works well your
machine can reassemble a number of fragmented packets to get the
info.  Again, generally a good thing.



> 4) The only service I want to be able to access from the outside is
> SSH (+ the above full access from in outwards). Is this right??:
> # Allow setup of incoming ssh
> ${fwcmd} add pass tcp from any to ${oip} 22 setup
> 
> # Reject&Log all setup of incoming connections from the outside
> ${fwcmd} add deny log tcp from any to any in via ${oif} setup
> 
> # Allow setup of any other TCP connection
> ${fwcmd} add pass tcp from any to any setup

In a nutshell, the above looks like what you want.


> 
> 
> 5) What's that last rule above for?  Doesn't this contridict, or is it there for
> a reason? (got it from rc.firewall)
> 
>

It allows you to make any outgoing connections from inside your net.  It
is, a good thing.

 

> 6) I have an outside i/f ($oif with $oip) and 3 internal i/f's (ed1,
> ed2 and ed3, which have $iif1, $iif2, $iif3 which have ip's $iip1,
> $iip2, $iip3 and network $inet1, $inet2, $inet3).
> 
> WHat I want, is each host to have full NAT access, which I think I have
> done with: ${fwcmd} add divert natd all from any to any via ${oif}
> Correct?
> 
> But, I don't want them to talk to each other. Will this happen
> automatically, or do I have to do something like:
> 
> ${fwcmd} add deny all from ${inet1} to ${inet2}
> ${fwcmd} add deny all from ${inet2} to ${inet1}
> ..etc..
> 
> ?]

Are you set up so that ecah host is networked only to the FreeBSD box, so
-all- packets have to pass through it to get anywhere?  (i.e. all nets are
physically/logicall seperate.)  If they are all on differnt nets for NAT,
then yes, they couldn't talk to each other.  You wouldn't need any special
rules.

But if you are not set up like the above, then all bets are off.
 


-Marius Rex



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105081901550.13442-100000>