Site Navigation

Date:      Thu, 25 Nov 1999 10:39:23 -0800 (PST)
From:      "Rodney W. Grimes" <rgrimes@gndrsh.dnsmgr.net>
To:        Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group)
Cc:        ahl@austclear.com.au (Tony Landells), ipfw@FreeBSD.ORG, arch@FreeBSD.ORG
Subject:   Re: new IPFW
Message-ID:  <199911251839.KAA49143@gndrsh.dnsmgr.net>
In-Reply-To: <199911251534.HAA67071@cwsys.cwsent.com> from Cy Schubert - ITSD Open Systems Group at "Nov 25, 1999 07:33:13 am"

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

> In message <199911242148.IAA25984@tungsten.austclear.com.au>, Tony Landells wri
> tes:
> > I'd be much happier with something in ipfw that just marked the next line
> > number to be used, preferably in a way that I could get it to move to the
> > next "grouping"--like "set the next rule number to the next multiple of
> > 1000".
> 
> This is what I use in one of my dialup scripts at home:
...

And here is another one thats designed to simply handling client/server
type tcp and udp protocols it uses fixed rule bases and the port # as
an offset.  Makes for grepping specific types of accept log data from
the ipfw.log files easier [Tab formats probably destroyed by cut-n-paste]:
This is just a snippet of the whole file, but I think one can get the
idea of what we did here.  Note also this is a very open rule set in
the calls to clnsrv, we mainly just monitor for suspecious activity.
The contents of rc.firewall.conf is up to the reader to figure out...

#!/bin/sh

# GLOBALS to control things, like testing.  Setting fire="echo"
# is real nice for debugging.
fire="/sbin/ipfw"
fadd="${fire} add"

# clnsrv(action, proto, sport, dport, clients, servers)
clnsrv() {
        action=$1;      shift
        proto=$1;       shift
        sport=$1;       shift
        dport=$1;       shift
        clients=$1;     shift
        servers=$1;     shift


        if [ X"${proto}" = X"tcp" ]; then
                setup="setup"
                base=10000
        else
                setup=""
                base=40000
        fi
        if [ X"${dport}" = X"" ]; then
                ruleoffset=${sport}
        else
                ruleoffset=${dport}
        fi
        if [ ${ruleoffset} -gt 1899 ]; then
                ruleoffset=1900
        fi
        rule=`expr ${base} + \( ${ruleoffset} \* 10 \)`
        for cln in ${clients} ; do
                for srv in ${servers} ; do
                        ${fadd} ${rule} ${action} ${proto} \
                                from ${cln} ${sport} to ${srv} ${dport} ${setup}
                done
        done
        rule=`expr ${rule} + 9`
        ${fadd} ${rule} ${CLASS} log ${proto} from any ${sport} to any ${dport}
}

# Pull in the address variables from the conf file or error out if
# there is not one (keeps one from shooting your feet off!)
if [ -f /etc/rc.firewall.conf ]; then
        . /etc/rc.firewall.conf
else
        echo "$0 - no rc.firewall.conf file!!!  Not loading!!!"
        exit 1
fi

... [basic stuff for lo0, rfc1918, and some other not so public data] ...

################################################################################
# TCP/*
#
${fadd} 10000 allow     tcp  from any                to any          established

clnsrv "allow    " tcp   20   "" "${tcp_ftpdata_c}"     "${tcp_ftpdata_s}"
clnsrv "allow    " tcp   ""   21 "${tcp_ftp_c}"         "${tcp_ftp_s}"
clnsrv "allow    " tcp   ""   22 "${tcp_ssh_c}"         "${tcp_ssh_s}"
clnsrv "allow    " tcp   ""   23 "${tcp_telnet_c}"      "${tcp_telnet_s}"
clnsrv "allow    " tcp   ""   25 "${tcp_smtp_c}"        "${tcp_smtp_s}"
clnsrv "allow    " tcp   ""   43 "${tcp_nicname_c}"     "${tcp_nicname_s}"
clnsrv "allow    " tcp   ""   53 "${tcp_domain_c}"      "${tcp_domain_s}"
clnsrv "allow    " tcp   ""   79 "${tcp_finger_c}"      "${tcp_finger_s}"
clnsrv "allow    " tcp   ""   80 "${tcp_http_c}"        "${tcp_http_s}"
clnsrv "allow    " tcp   ""  110 "${tcp_pop3_c}"        "${tcp_pop3_s}"
clnsrv "allow    " tcp   ""  111 "${tcp_sunrpc_c}"      "${tcp_sunrpc_s}"
clnsrv "allow    " tcp   ""  113 "${tcp_auth_c}"        "${tcp_auth_s}"
clnsrv "allow    " tcp   ""  119 "${tcp_nntp_c}"        "${tcp_nntp_s}"
clnsrv "allow    " tcp   ""  123 "${tcp_ntp_c}"         "${tcp_ntp_s}"
clnsrv "allow    " tcp   ""  137 "${tcp_netbios_ns_c}"  "${tcp_netbios_ns_s}"
clnsrv "allow    " tcp   ""  138 "${tcp_netbios_dgm_c}" "${tcp_netbios_dgm_s}"
clnsrv "allow    " tcp   ""  139 "${tcp_netbios_ssn_c}" "${tcp_netbios_ssn_s}"
clnsrv "allow    " tcp   ""  179 "${tcp_bgp_c}"         "${tcp_bgp_s}"
clnsrv "allow    " tcp   ""  443 "${tcp_https_c}"       "${tcp_https_s}"
clnsrv "allow    " tcp   ""  515 "${tcp_printer_c}"     "${tcp_printer_s}"
clnsrv "allow    " tcp   "" 5190 "${tcp_aol_c}"         "${tcp_aol_s}"

# XXX For now log all other TCP setups
${fadd} 29999 allow log tcp  from any                to any                setup

################################################################################
# UDP/*
#

clnsrv "allow    " udp   ""   53 "${udp_domain_c}"      "${udp_domain_s}"
clnsrv "allow    " udp   53   "" "${udp_domain_s}"      "${udp_domain_c}"
clnsrv "allow    " udp   ""  123 "${udp_ntp_c}"         "${udp_ntp_s}"
clnsrv "allow    " udp   ""  137 "${udp_netbios_ns_c}"  "${udp_netbios_ns_s}"
clnsrv "allow    " udp   ""  138 "${udp_netbios_dgm_c}" "${udp_netbios_dgm_s}"
clnsrv "allow log" udp   ""  139 "${udp_netbios_ssn_c}" "${udp_netbios_ssn_s}"
clnsrv "allow    " udp   ""  161 "${udp_snmp_c}"        "${udp_snmp_s}"
clnsrv "allow    " udp  161   "" "${udp_snmp_s}"        "${udp_snmp_c}"
clnsrv "allow    " udp   ""  162 "${udp_snmptrap_c}"    "${udp_snmptrap_s}"
clnsrv "allow    " udp  162   "" "${udp_snmptrap_s}"    "${udp_snmptrap_c}"
clnsrv "allow    " udp   ""  512 "${udp_biff_c}"        "${udp_biff_s}"
clnsrv "allow    " udp   ""  513 "${udp_who_c}"         "${udp_who_s}"
clnsrv "allow    " udp   ""  514 "${udp_syslog_c}"      "${udp_syslog_s}"
clnsrv "allow    " udp   ""  515 "${udp_printer_c}"     "${udp_printer_s}"
clnsrv "allow    " udp   ""  516 "${udp_videotex_c}"    "${udp_videotex_s}"
clnsrv "allow    " udp   ""  517 "${udp_talk_c}"        "${udp_talk_s}"
clnsrv "allow    " udp   ""  518 "${udp_ntalk_c}"       "${udp_ntalk_s}"
clnsrv "allow    " udp   ""  519 "${udp_utime_c}"       "${udp_utime_s}"
clnsrv "allow    " udp   ""  520 "${udp_router_c}"      "${udp_router_s}"
clnsrv "allow    " udp   ""  521 "${udp_ripng_c}"       "${udp_ripng_s}"
clnsrv "allow    " udp 1645 1645 "${udp_radius_c}"      "${udp_radius_s}"
clnsrv "allow    " udp 1645 1645 "${udp_radius_s}"      "${udp_radius_c}"
clnsrv "allow    " udp 1646 1646 "${udp_radacct_c}"     "${udp_radacct_s}"
clnsrv "allow    " udp 1646 1646 "${udp_radacct_s}"     "${udp_radacct_c}"
clnsrv "allow    " udp 1812 1812 "${udp_radius_c}"      "${udp_radius_s}"
clnsrv "allow    " udp 1812 1812 "${udp_radius_s}"      "${udp_radius_c}"
clnsrv "allow    " udp 1813 1813 "${udp_radacct_c}"     "${udp_radacct_s}"
clnsrv "allow    " udp 1813 1813 "${udp_radacct_s}"     "${udp_radacct_c}"
clnsrv "allow    " udp   "" 4000 "${udp_4000_c}"        "${udp_4000_s}"
clnsrv "allow    " udp 4000   "" "${udp_4000_s}"        "${udp_4000_c}"

${fadd} 59999 allow log udp  from any                to any

much much more below here deleted...


-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911251839.KAA49143>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact