From owner-freebsd-net@FreeBSD.ORG Sun Mar 12 18:28:53 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E27F816A401 for ; Sun, 12 Mar 2006 18:28:53 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CCF043D46 for ; Sun, 12 Mar 2006 18:28:53 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by wproxy.gmail.com with SMTP id i5so1180118wra for ; Sun, 12 Mar 2006 10:28:52 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=sUJlVaYIrpflrXjNUCCA2ab5T1tv7r3gvr9x/6wHUCVMI+L5vrdSASlszZtKd4EF+RcgZK37mBlF3cdJH3b8qjI8kjrH8YMiSjA7lKAOhJcYnJBBJz7T899PM7ngJzhyGMCRjv4oMsewYmHeN8JBlgUx685yvynXvgzNO8FjXRU= Received: by 10.54.148.10 with SMTP id v10mr1908005wrd; Sun, 12 Mar 2006 10:28:52 -0800 (PST) Received: from ?192.168.102.3? ( [67.102.60.210]) by mx.gmail.com with ESMTP id 14sm3364609wrl.2006.03.12.10.28.51; Sun, 12 Mar 2006 10:28:52 -0800 (PST) Message-ID: <44146800.30707@gmail.com> Date: Sun, 12 Mar 2006 12:27:12 -0600 From: Dennis Olvany User-Agent: Thunderbird 1.5 (X11/20060211) MIME-Version: 1.0 To: Dave Johnson References: <002b01c645dd$cc6a3800$5b00a8c0@laptop> In-Reply-To: <002b01c645dd$cc6a3800$5b00a8c0@laptop> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: IPFW problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Mar 2006 18:28:54 -0000 You need to reconsider the entire ruleset. Begin with a structured ruleset such as the following and build from there. Use a discrete ruleset for the router host. check-state allow ip from me to any keep-state deny ip from me to any allow icmp from any to me icmptypes 3,4,8,11 keep-state deny ip from any to me allow ip from 192.168.1.0/24 to any keep-state deny ip from 192.168.1.0/24 to any allow icmp from any to 192.168.1.0/24 3,4,8,11 keep-state deny ip from any to 192.168.1.0/24 [default deny] 1. /etc/rc .conf 2. 3. defaultrouter="192.168.0.1" 4. gateway_enable="YES" 5. hostname="gateway.myatt.co.za" 6. ifconfig_rl0="inet 192.168.0.2 netmask 255.255.255.0" 7. ifconfig_rl1="inet 192.168.1.100 netmask 255.255.255.0" 8. linux_enable="YES" 9. moused_enable="YES" 10. sshd_enable="YES" 11. usbd_enable="YES" 12. firewall_enable="YES" 13. #firewall_type="OPEN" 14. firewall_script="/etc/ipfw.rules" 15. firewall_quiet="NO" 16. RULESET HAS LOGGING RULES firewall_logging="NO" 17. RULESET HAS NO DIVERT RULE natd_program="/sbin/natd" 18. natd_enable="YES" 19. natd_interface="rl0" 20. natd_flags="-f /etc/natd.conf" 21. sendmail_submit_enable="NO" 22. sendmail_outbound_enable="NO" 23. sendmail_msp_queue_enable="NO" 24. 25. /etc/natd.conf 26. 27. interface rl0 28. use_sockets yes 29. same_ports yes 30. log 31. 32. /etc/ipfw.rules 33. 34. ipfw -q -f flush 35. cmd="ipfw -q add" 36. pif="rl0" 37. BAD $cmd 00005 allow all from any to any via rl1 38. $cmd 00010 allow all from any to any via lo0 39. $cmd 00015 check-state 40. CAT IPs... SHOULD BE UDP, EH. $cmd 00110 allow tcp from any to 196.2.48.227 53 out via $pif setup keep-state 41. $cmd 00111 allow tcp from any to 196.2.43.140 53 out via $pif keep-state 42. CAT PORT NUMBERS $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state 43. $cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state 44. $cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state 45. $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state 46. $cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root 47. $cmd 00250 allow icmp from any to any out via $pif keep-state 48. $cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state 49. $cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state 50. $cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state 51. $cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state 52. $cmd 00299 deny log all from any to any out via $pif 53. 53-61 USELESS $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif 54. $cmd 00301 deny all from 172.16.0.0/12 to any in via $pif 55. $cmd 00302 deny all from 10.0.0.0/8 to any in via $pif 56. $cmd 00303 deny all from 127.0.0.0/8 to any in via $pif 57. $cmd 00304 deny all from 0.0.0.0/8 to any in via $pif 58. $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif 59. $cmd 00306 deny all from 192.0.2.0/24 to any in via $pif 60. $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif 61. $cmd 00308 deny all from 224.0.0.0/3 to any in via $pif 62. $cmd 00310 deny icmp from any to any in via $pif 63. $cmd 00315 deny tcp from any to any 113 in via $pif 64. $cmd 00320 deny tcp from any to any 137 in via $pif 65. $cmd 00321 deny tcp from any to any 138 in via $pif 66. $cmd 00322 deny tcp from any to any 139 in via $pif 67. $cmd 00323 deny tcp from any to any 81 in via $pif 68. $cmd 00330 deny all from any to any frag in via $pif 69. $cmd 00332 deny tcp from any to any established in via $pif 70. $cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2 71. $cmd 00499 deny log all from any to any in via $pif 72. $cmd 00999 deny log all from any to any