Date: Wed, 27 Aug 1997 20:19:16 -0700 (PDT) From: Tim Baur <tbaur@esgroup.net> To: freebsd-hackers@freebsd.org Subject: ipfw configuration. Message-ID: <Pine.BSI.3.96.970827201849.21649A-100000@oblivion.esgroup.net>
next in thread | raw e-mail | index | archive | help
I have been running into some problems with ipfw.. maybe someone has some suggestions. I have setup a fbsd machine running 2.2.2-REL (486/66 16M ram), compiled with: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 Under /etc/rc.conf, I have Firewall=YES I have installed ed1 and ed0. ed1 is primary, and is working fine. I havent been able to get ed0 working as of yet. Fbsd has really changed since the last version I ran, 2.1.5-REL. (maybe someone could explain that to me as well). However this is a problem, its not my main concern currently. It might be due to a lack of understanding on my part, as to the configuation of ipfw. But this is what I am attempting to do. On my LAN, I have a primary 16 port hub, which hosts machines that I dont wish to firewall. I have my 486 routed thro this hub, into ed1. ed0 is then routed to my secondary hub which routes the servers I wish to firewall. Thus, all the traffic running to the servers on the second hub, would have to be routed/filtered thro the firewall. Following is my /etc/rc.firewall file: ############ # Setup system for firewall service. # $Id: rc.firewall,v 1.9 1997/03/09 06:27:41 andrew Exp $ ############ # IPFW Rules for FW-KAM.ESGROUP.NET # # Blow away everything first. # /sbin/ipfw -f flush # # Firewall Rules # ============== # # Allow Established TCP Connections # /sbin/ipfw add 10000 allow tcp from 207.194.190.5 to any established /sbin/ipfw add 10100 allow tcp from any to 207.194.190.5 established # # Allow DNS through # /sbin/ipfw add 10200 allow udp from any 53 to 207.194.190.5 /sbin/ipfw add 10300 allow udp from 207.194.190.5 to any 53 # # Allow identd to get through # /sbin/ipfw add 10800 allow tcp from any to 207.194.190.5 113 /sbin/ipfw add 10900 allow tcp from 207.194.190.5 to any 113 # # Allow outgoing TCP connections # /sbin/ipfw add 11000 allow tcp from 207.194.190.5 to any setup # # Allow incoming TCP connections to ports 1024 - 65535 # /sbin/ipfw add 11100 allow tcp from any to 207.194.190.5 1024-65535 setup # # Allow ssh from anywhere (Perhaps Dangerous) # /sbin/ipfw add 11200 allow tcp from any to 207.194.190.5 22 setup # # Allow Trusted Hosts Access # ie: example # #/sbin/ipfw add 11400 allow tcp from (outside host) to 207.194.190.5 setup # # Allow NTP broadcasts from router # /sbin/ipfw add 11800 allow udp from any to any 123 # # Allow Traceroutes # /sbin/ipfw add 11900 allow udp from 207.194.190.5 to any 33400-33499 /sbin/ipfw add 12000 allow icmp from any to any icmptype 3 /sbin/ipfw add 12100 allow icmp from any to any icmptype 11 # # Everything eles is denyed by default. This is what I get when I run 'ipfw -a list': Script started on Thu Aug 28 15:38:25 1997 root@fw-kam~: ipfw -a list 10000 0 0 allow tcp from 207.194.190.5 to any established 10100 0 0 allow tcp from any to 207.194.190.5 established 10200 0 0 allow udp from any 53 to 207.194.190.5 10300 0 0 allow udp from 207.194.190.5 to any 53 10800 0 0 allow tcp from any to 207.194.190.5 113 10900 0 0 allow tcp from 207.194.190.5 to any 113 11000 0 0 allow tcp from 207.194.190.5 to any setup 11100 0 0 allow tcp from any to 207.194.190.5 1024-65535 setup 11200 0 0 allow tcp from any to 207.194.190.5 22 setup 11800 0 0 allow udp from any to any 123 11900 0 0 allow udp from 207.194.190.5 to any 33400-33499 12000 0 0 allow icmp from any to any icmptype 3 12100 0 0 allow icmp from any to any icmptype 11 65535 179 12350 deny ip from any to any root@fw-kam~: Script done on Thu Aug 28 15:38:47 1997 With this current configuration, I cant do anything. Its as if when incoming packets reach the machine, it looks to ipfw, finds the 65535 line and denys it. Thus disregarding anything eles that might be added. I have tried multiple things to get it to work. I know my rc.firewall file is setup correctly. Even with ed0 not working, I still cant go anywhere via ed1. This puzzles me, as it should work. I dont want to setup a proxy server, thus having to change all my dns to point to the firewall, and having the firewall tell the packet where to go. I need to keep the dns the same, while filtering ICMP, TCP, UDP etc. This is my reason for the physical setup: main hub -> firewall -> second hub -> machines to be firewalled. Is this not possible? I havent been able to find many docs on freebsd ipfw, maybe there should be better papers written on the setup. Or possibly I just havent found them. With that said.. any suggestions on how to set this up that way I want to? Thank you for your time and I welcome any info anyone has. Tim Baur ESI Communications
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.96.970827201849.21649A-100000>