Date: Sun, 2 Sep 2001 22:03:03 +0200 From: "Dennis Berger" <HypnotiZer@gmx.net> To: "Martin Schweizer" <info@pc-service.ch>, <freebsd-stable@freebsd.org> Subject: Re: IPFirewall again Message-ID: <002d01c133ea$45e84ba0$650110ac@nachpolierer> References: <20010902194412.A279@pc-service.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
Maybe my configs can help you to setup a simple statuful firewall.
you don't need to use rules like this "allow from me to any" there are "in"
and "out" filters. use them
----------------------- ppp.conf
default:
set log Phase Chat LCP IPCP CCP tun command
set redial 15 65536
set reconnect 15 65536
nat enable yes
nat deny_incoming no
nat punch_fw 500 100 #<----- Keep an EYE on THIS this allows temp
rules be added which allow activ FTP traffic back in. It's the ppp client
from CURRENT.
nat use_sockets yes
nat same_ports yes
nat port tcp 172.16.1.101:4000 4000
nat port tcp 172.16.1.1:80 80
nat port tcp 172.16.1.1:443 443
disable iface-alias
--------------------------------ipfw.rules
fwcmd="/sbin/ipfw"
#Flush all
$fwcmd -f flush
#Temp-rule
$fwcmd add 5 pass all from any to any
#LOCALDEVICES
$fwcmd add 20 pass all from any to any via lo0
$fwcmd add 30 pass all from any to any via rl0
$fwcmd add 40 pass all from any to any via xl0
#BOGUS NETWORK
$fwcmd add 50 deny log all from 192.168.0.0/16 to any in via tun0
$fwcmd add 60 deny log all from 172.16.0.0/12 to any in via tun0
$fwcmd add 70 deny log all from 10.0.0.0/8 to any in via tun0
$fwcmd add 80 deny log all from 127.0.0.0/8 to any in via tun0
$fwcmd add 90 deny log all from 0.0.0.0/8 to any in via tun0
$fwcmd add 100 deny log all from 169.254.0.0/16 to any in via tun0
$fwcmd add 110 deny log all from 192.0.2.0/24 to any in via tun0
$fwcmd add 120 deny log all from 204.152.64.0/23 to any in via tun0
$fwcmd add 130 deny log all from 224.0.0.0/3 to any in via tun0
#COUNTRULES FOR MRTG
$fwcmd add 131 count tcp from any to any via tun0
$fwcmd add 132 count udp from any to any 27000-28000 out via tun0
$fwcmd add 133 count tcp from any 1024-65535 to any 21 in via tun0
$fwcmd add 134 count tcp from any 20 to any 1024-65535 out via tun0
$fwcmd add 135 count tcp from any 49153-65535 to any 1024-65535 out via tun0
$fwcmd add 136 count tcp from any to any 80 in via tun0
$fwcmd add 136 count tcp from any to any 80 out via tun0
#shape outgoing FTP-traffic
$fwcmd add 140 pipe 1 tcp from any 20 to any 1024-65535 out via tun0
$fwcmd add 141 pipe 1 tcp from any 1024-65535 to any 21 in via tun0
$fwcmd add 142 pipe 1 tcp from any 49153-65535 to any 1024-65535 out via
tun0
$fwcmd pipe 1 config bandwidth 96Kbit/s queue 20Kbyte
$fwcmd add 160 check-state
#Let Ping,traceroute, work in both directions
$fwcmd add 200 pass icmp from any to any in via tun0 icmptypes 8,11,3
keep-state
$fwcmd add 205 pass udp from any to any 33434-33690 in via tun0 keep-state
#Allow access to port 22,80,25,443,21
$fwcmd add 210 pass tcp from any to any 22 in via tun0 keep-state setup
$fwcmd add 220 pass tcp from any to any 80 in via tun0 keep-state setup
$fwcmd add 225 pass tcp from any to any 25 in via tun0 keep-state setup
$fwcmd add 230 pass tcp from any to any 443 in via tun0 keep-state setup
$fwcmd add 240 pass tcp from any to any 21 in via tun0 keep-state setup
#Allow others to use my FTP passive PORT-range
$fwcmd add 250 pass tcp from any 1024-65535 to any 49153-65535 in via tun0
keep-state setup
#Deny authorize.quake3arena.com ;)
$fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0
#Allow all TCP/UDP/ICMP requests out and let them keep state.
$fwcmd add 280 pass tcp from any to any out via tun0 setup keep-state
$fwcmd add 290 pass udp from any to any out via tun0 keep-state
$fwcmd add 300 pass icmp from any to any out via tun0 keep-state
#Log all denied packets
$fwcmd add 65530 deny log all from any to any
#Delete TEMP-RULE
$fwcmd delete 5
-------------------------------------------------------------
----- Original Message -----
From: "Martin Schweizer" <pcservice.schweizer@spectraweb.ch>
To: <freebsd-stable@freebsd.org>
Sent: Sunday, September 02, 2001 7:44 PM
Subject: IPFirewall again
> Hello
>
> If I use the following rules and I can connect via ftp (for example
> ftp.freebsd.org) but after the successful login I can't do "ls". The
> permissons are always denied. Why? Which port need I also?
>
> # DNS (läuft nur über UDP)
> ipfw add allow udp from me to any 53 keep-state
> # SMTP
> ipfw add allow tcp from me to any 25 keep-state
> ipfw add allow udp from me to any 25 keep-state
> # POP3
> ipfw add allow tcp from me to any 110 keep-state
> ipfw add allow udp from me to any 110 keep-state
> # HTTP
> ipfw add allow tcp from me to any 80 keep-state
> ipfw add allow udp from me to any 80 keep-state
> # FTP
> ipfw add allow tcp from any to any 20 keep-state
> ipfw add allow udp from any to any 20 keep-state
> # FTP 2.
> ipfw add allow tcp from any to any 21 keep-state
> ipfw add allow udp from any to any 21 keep-state
> # SSH
> ipfw add allow tcp from me to any 22 keep-state
> ipfw add allow udp from me to any 22 keep-state
> # Telnet
> ipfw add allow tcp from me to any 23 keep-state
> ipfw add allow udp from me to any 23 keep-state
> # Ping / TraceRoute
> ipfw add allow icmp from me to any
> # Whois
> ipfw add allow tcp from me to any 63 keep-state
> ipfw add allow udp from me to any 63 keep-state
> # Gopher
> ipfw add allow tcp from me to any 70 keep-state
> ipfw add allow udp from me to any 70 keep-state
> # Finger
> ipfw add allow tcp from me to any 79 keep-state
> ipfw add allow udp from me to any 79 keep-state
> # NNTP
> ipfw add allow tcp from me to any 119 keep-state
> ipfw add allow udp from me to any 119 keep-state
> # NTP
> ipfw add allow tcp from me to any 123 keep-state
> ipfw add allow udp from me to any 123 keep-state
>
> --
> Regards,
>
> Martin Schweizer
> <info@pc-service.ch>
>
> PC-Service M. Schweizer; Gewerbehaus Schwarz; CH-8608 Bubikon
> Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002d01c133ea$45e84ba0$650110ac>