Date: Mon, 23 Aug 2004 10:46:57 +0200 From: Igor Popov <igor@garant.koenig.ru> To: freebsd-ipfw@freebsd.org Subject: Too many droped packets Message-ID: <200408231046.57543.igor@garant.koenig.ru>
next in thread | raw e-mail | index | archive | help
hi,
I have FreeBSD-5.2.1-p9 on my network as inet gateway: fxp0 is my internal
iface, fxp0:0 is alias for jail, where squid lives in and tun0 is my external
iface. And there is my ruleset:
#!/bin/sh
#
############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
###########
# Limit incoming traffic rate
${fwcmd} disable one_pass
${fwcmd} add 300 pipe 1 ip from any to any in recv fxp0
${fwcmd} pipe 1 config bw 8MByte/s queue 50 gred 0.005/35/45/0.2
###########
# Antispoofing rule
${fwcmd} add deny log all from any to any not verrevpath in
###########
# Bad packets
${fwcmd} add deny log all from any to any iplen 0-20 in
${fwcmd} add deny log all from any to any ipoptions ssrr,lsrr in
############
# Setup loppback
# Only in rare cases do you want to change these rules
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
###########
# Divert all packets through the tunnel interface.
#${fwcmd} add divert natd ip from any to any via tun0
###########
# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
${fwcmd} add check-state
${fwcmd} add deny log tcp from any to any established
###########
# Allow all connections from my network card that I initiate
${fwcmd} add allow tcp from me to 192.168.0.0/24 out xmit fxp0 setup
keep-state
${fwcmd} add deny tcp from me to 192.168.0.0/24 out xmit fxp0
${fwcmd} add allow ip from me to 192.168.0.0/24 out xmit fxp0 keep-state
###########
# Allow all connections from my inet ppp interface that I initiate
${fwcmd} add allow tcp from me to any out xmit tun0 setup keep-state
${fwcmd} add allow ip from me to any out xmit tun0 keep-state
############
# Everyone on the localnet is allowed to connect to the following
# services on the machine. This string specifically allows connections
# to sshd, smtp, dns, pop3, imap, squid.
${fwcmd} add allow tcp from 192.168.0.0/24 to me dst-port
ssh,smtp,domain,pop3,imap,3128 in recv fxp0 setup keep-state
${fwcmd} add allow udp from 192.168.0.0/24 to me dst-port domain in recv fxp0
keep-state
############
# Enable ICMP
# Deny and log all pings from inet and localnet
${fwcmd} add deny log icmp from any to any icmptypes 8,13 in recv any
${fwcmd} add allow icmp from me to any keep-state
${fwcmd} add allow icmp from 192.168.0.0/24 to me in recv fxp0 keep-state
###########
#Allow IPSec (AH and ESP protocols with isakmp)
${fwcmd} add allow ah from me to 192.168.0.0/24 out via fxp0 keep-state
${fwcmd} add allow esp from me to 192.168.0.0/24 out via fxp0 keep-state
${fwcmd} add allow ah from 192.168.0.0/24 to me in via fxp0 keep-state
${fwcmd} add allow esp from 192.168.0.0/24 to me in via fxp0 keep-state
${fwcmd} add allow log udp from 192.168.0.0/24 to me src-port isakmp dst-port
isakmp in recv fxp0 keep-state
############
# This sends a RESET to all ident packets.
${fwcmd} add reset log tcp from any to me 113 in recv fxp0
############
# Deny all the rest.
${fwcmd} add deny log ip from any to any
And problem that I see too many dropped conections via rule (${fwcmd} add
deny log tcp from any to any established) from my squid via ext iface (tun0)
--
Tonight's the night: Sleep in a eucalyptus tree.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408231046.57543.igor>