From owner-freebsd-stable Tue May 8 16:28:45 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mail.communityconnect.com (mail.communityconnect.com [209.10.169.57]) by hub.freebsd.org (Postfix) with ESMTP id A041B37B423 for ; Tue, 8 May 2001 16:28:37 -0700 (PDT) (envelope-from marius@mail.communityconnect.com) Received: from amavis by mail.communityconnect.com with scanned-ok (Exim 3.20 #1) id 14xGuB-0005q3-00 for freebsd-stable@freebsd.org; Tue, 08 May 2001 19:28:35 -0400 Received: from [206.28.215.90] (helo=dt-9-45.hq.communityconnect.com) by mail.communityconnect.com with esmtp (Exim 3.20 #1) id 14xGu4-0005mw-00; Tue, 08 May 2001 19:28:28 -0400 Date: Tue, 8 May 2001 19:28:32 -0400 (EDT) From: Marius X-Sender: marius@utterlux.hq.communitconnect.com To: Ian Chilton Cc: freebsd-stable@freebsd.org, questions@FreeBSD.org Subject: Re: IPFW Questions In-Reply-To: <20010508235556.A4274@woody.ichilton.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Redirected to Questions... *snip* > 1) Why are the same rules used twice? *snip* To catch packets both before and after NAT translation. The NAT rule in between them changes the source or destination of some packets that pass through it. So we check it twice. > 2) What does this do?: > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established This allows any connection that is on-going to continue going. So in one rule you allow yor internal net to make outgoing connections. And this rule allows all the packets that were started by that connection to pass through the firewall also. It is a good thing. > Will this let the machine itself and any NAT clients have unlimited > access to the internet, without letting people make connections to > services running on my gateway?? That is _part_ of the ruleset needed to do that. The rest of it you mention below. > > 3) What does this do?: > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag It allows fragment IP packets to pass through. If all works well your machine can reassemble a number of fragmented packets to get the info. Again, generally a good thing. > 4) The only service I want to be able to access from the outside is > SSH (+ the above full access from in outwards). Is this right??: > # Allow setup of incoming ssh > ${fwcmd} add pass tcp from any to ${oip} 22 setup > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup In a nutshell, the above looks like what you want. > > > 5) What's that last rule above for? Doesn't this contridict, or is it there for > a reason? (got it from rc.firewall) > > It allows you to make any outgoing connections from inside your net. It is, a good thing. > 6) I have an outside i/f ($oif with $oip) and 3 internal i/f's (ed1, > ed2 and ed3, which have $iif1, $iif2, $iif3 which have ip's $iip1, > $iip2, $iip3 and network $inet1, $inet2, $inet3). > > WHat I want, is each host to have full NAT access, which I think I have > done with: ${fwcmd} add divert natd all from any to any via ${oif} > Correct? > > But, I don't want them to talk to each other. Will this happen > automatically, or do I have to do something like: > > ${fwcmd} add deny all from ${inet1} to ${inet2} > ${fwcmd} add deny all from ${inet2} to ${inet1} > ..etc.. > > ?] Are you set up so that ecah host is networked only to the FreeBSD box, so -all- packets have to pass through it to get anywhere? (i.e. all nets are physically/logicall seperate.) If they are all on differnt nets for NAT, then yes, they couldn't talk to each other. You wouldn't need any special rules. But if you are not set up like the above, then all bets are off. -Marius Rex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message