Site Navigation

Date:      Sun, 12 Mar 2006 12:27:12 -0600
From:      Dennis Olvany <dennisolvany@gmail.com>
To:        Dave Johnson <davej@wsnet.co.za>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPFW problem
Message-ID:  <44146800.30707@gmail.com>
In-Reply-To: <002b01c645dd$cc6a3800$5b00a8c0@laptop>
References:  <002b01c645dd$cc6a3800$5b00a8c0@laptop>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

You need to reconsider the entire ruleset. Begin with a structured 
ruleset such as the following and build from there. Use a discrete 
ruleset for the router host.



check-state

allow ip from me to any keep-state
deny ip from me to any
allow icmp from any to me icmptypes 3,4,8,11 keep-state
deny ip from any to me

allow ip from 192.168.1.0/24 to any keep-state
deny ip from 192.168.1.0/24 to any
allow icmp from any to 192.168.1.0/24 3,4,8,11 keep-state
deny ip from any to 192.168.1.0/24

[default deny]





    1.
       /etc/rc .conf
    2.

    3.
       defaultrouter="192.168.0.1"
    4.
       gateway_enable="YES"
    5.
       hostname="gateway.myatt.co.za"
    6.
       ifconfig_rl0="inet 192.168.0.2  netmask 255.255.255.0"
    7.
       ifconfig_rl1="inet 192.168.1.100  netmask 255.255.255.0"
    8.
       linux_enable="YES"
    9.
       moused_enable="YES"
   10.
       sshd_enable="YES"
   11.
       usbd_enable="YES"
   12.
       firewall_enable="YES"
   13.
       #firewall_type="OPEN"
   14.
       firewall_script="/etc/ipfw.rules"
   15.
       firewall_quiet="NO"
   16. RULESET HAS LOGGING RULES
       firewall_logging="NO"
   17. RULESET HAS NO DIVERT RULE
       natd_program="/sbin/natd"
   18.
       natd_enable="YES"
   19.
       natd_interface="rl0"
   20.
       natd_flags="-f /etc/natd.conf"
   21.
       sendmail_submit_enable="NO"
   22.
       sendmail_outbound_enable="NO"
   23.
       sendmail_msp_queue_enable="NO"
   24.

   25.
       /etc/natd.conf
   26.

   27.
       interface rl0
   28.
       use_sockets yes
   29.
       same_ports yes
   30.
       log
   31.

   32.
       /etc/ipfw.rules
   33.

   34.
       ipfw -q -f flush
   35.
       cmd="ipfw -q add"
   36.
       pif="rl0"
   37. BAD
       $cmd 00005 allow all from any to any via rl1
   38.
       $cmd 00010 allow all from any to any via lo0
   39.
       $cmd 00015 check-state
   40. CAT IPs... SHOULD BE UDP, EH.
       $cmd 00110 allow tcp from any to 196.2.48.227 53 out via $pif 
setup keep-state
   41.
       $cmd 00111 allow tcp from any to 196.2.43.140 53 out via $pif 
keep-state
   42. CAT PORT NUMBERS
       $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
   43.
       $cmd 00220 allow tcp from any to any 443 out via $pif setup 
keep-state
   44.
       $cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
   45.
       $cmd 00231 allow tcp from any to any 110 out via $pif setup 
keep-state
   46.
       $cmd 00240 allow tcp from me to any out via $pif setup keep-state 
uid root
   47.
       $cmd 00250 allow icmp from any to any out via $pif keep-state
   48.
       $cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state
   49.
       $cmd 00270 allow tcp from any to any 119 out via $pif setup 
keep-state
   50.
       $cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state
   51.
       $cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state
   52.
       $cmd 00299 deny log all from any to any out via $pif
   53. 53-61 USELESS
       $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif
   54.
       $cmd 00301 deny all from 172.16.0.0/12 to any in via $pif
   55.
       $cmd 00302 deny all from 10.0.0.0/8 to any in via $pif
   56.
       $cmd 00303 deny all from 127.0.0.0/8 to any in via $pif
   57.
       $cmd 00304 deny all from 0.0.0.0/8 to any in via $pif
   58.
       $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif
   59.
       $cmd 00306 deny all from 192.0.2.0/24 to any in via $pif
   60.
       $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif
   61.
       $cmd 00308 deny all from 224.0.0.0/3 to any in via $pif
   62.
       $cmd 00310 deny icmp from any to any in via $pif
   63.
       $cmd 00315 deny tcp from any to any 113 in via $pif
   64.
       $cmd 00320 deny tcp from any to any 137 in via $pif
   65.
       $cmd 00321 deny tcp from any to any 138 in via $pif
   66.
       $cmd 00322 deny tcp from any to any 139 in via $pif
   67.
       $cmd 00323 deny tcp from any to any 81 in via $pif
   68.
       $cmd 00330 deny all from any to any frag in via $pif
   69.
       $cmd 00332 deny tcp from any to any established in via $pif
   70.
       $cmd 00410 allow tcp from any to me 22 in via $pif setup limit 
src-addr 2
   71.
       $cmd 00499 deny log all from any to any in via $pif
   72.
       $cmd 00999 deny log all from any to any

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44146800.30707>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact