Date: Sun, 12 Mar 2006 12:27:12 -0600 From: Dennis Olvany <dennisolvany@gmail.com> To: Dave Johnson <davej@wsnet.co.za> Cc: freebsd-net@freebsd.org Subject: Re: IPFW problem Message-ID: <44146800.30707@gmail.com> In-Reply-To: <002b01c645dd$cc6a3800$5b00a8c0@laptop> References: <002b01c645dd$cc6a3800$5b00a8c0@laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
You need to reconsider the entire ruleset. Begin with a structured ruleset such as the following and build from there. Use a discrete ruleset for the router host. check-state allow ip from me to any keep-state deny ip from me to any allow icmp from any to me icmptypes 3,4,8,11 keep-state deny ip from any to me allow ip from 192.168.1.0/24 to any keep-state deny ip from 192.168.1.0/24 to any allow icmp from any to 192.168.1.0/24 3,4,8,11 keep-state deny ip from any to 192.168.1.0/24 [default deny] 1. /etc/rc .conf 2. 3. defaultrouter="192.168.0.1" 4. gateway_enable="YES" 5. hostname="gateway.myatt.co.za" 6. ifconfig_rl0="inet 192.168.0.2 netmask 255.255.255.0" 7. ifconfig_rl1="inet 192.168.1.100 netmask 255.255.255.0" 8. linux_enable="YES" 9. moused_enable="YES" 10. sshd_enable="YES" 11. usbd_enable="YES" 12. firewall_enable="YES" 13. #firewall_type="OPEN" 14. firewall_script="/etc/ipfw.rules" 15. firewall_quiet="NO" 16. RULESET HAS LOGGING RULES firewall_logging="NO" 17. RULESET HAS NO DIVERT RULE natd_program="/sbin/natd" 18. natd_enable="YES" 19. natd_interface="rl0" 20. natd_flags="-f /etc/natd.conf" 21. sendmail_submit_enable="NO" 22. sendmail_outbound_enable="NO" 23. sendmail_msp_queue_enable="NO" 24. 25. /etc/natd.conf 26. 27. interface rl0 28. use_sockets yes 29. same_ports yes 30. log 31. 32. /etc/ipfw.rules 33. 34. ipfw -q -f flush 35. cmd="ipfw -q add" 36. pif="rl0" 37. BAD $cmd 00005 allow all from any to any via rl1 38. $cmd 00010 allow all from any to any via lo0 39. $cmd 00015 check-state 40. CAT IPs... SHOULD BE UDP, EH. $cmd 00110 allow tcp from any to 196.2.48.227 53 out via $pif setup keep-state 41. $cmd 00111 allow tcp from any to 196.2.43.140 53 out via $pif keep-state 42. CAT PORT NUMBERS $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state 43. $cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state 44. $cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state 45. $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state 46. $cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root 47. $cmd 00250 allow icmp from any to any out via $pif keep-state 48. $cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state 49. $cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state 50. $cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state 51. $cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state 52. $cmd 00299 deny log all from any to any out via $pif 53. 53-61 USELESS $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif 54. $cmd 00301 deny all from 172.16.0.0/12 to any in via $pif 55. $cmd 00302 deny all from 10.0.0.0/8 to any in via $pif 56. $cmd 00303 deny all from 127.0.0.0/8 to any in via $pif 57. $cmd 00304 deny all from 0.0.0.0/8 to any in via $pif 58. $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif 59. $cmd 00306 deny all from 192.0.2.0/24 to any in via $pif 60. $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif 61. $cmd 00308 deny all from 224.0.0.0/3 to any in via $pif 62. $cmd 00310 deny icmp from any to any in via $pif 63. $cmd 00315 deny tcp from any to any 113 in via $pif 64. $cmd 00320 deny tcp from any to any 137 in via $pif 65. $cmd 00321 deny tcp from any to any 138 in via $pif 66. $cmd 00322 deny tcp from any to any 139 in via $pif 67. $cmd 00323 deny tcp from any to any 81 in via $pif 68. $cmd 00330 deny all from any to any frag in via $pif 69. $cmd 00332 deny tcp from any to any established in via $pif 70. $cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2 71. $cmd 00499 deny log all from any to any in via $pif 72. $cmd 00999 deny log all from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44146800.30707>