Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 03 Jan 2006 00:31:07 +0200
From:      G Bryant <bsd@roamingsolutions.net>
To:        Dennis Olvany <dennisolvany@gmail.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: route selection and ipfw forwarding
Message-ID:  <43B9A9AB.20001@roamingsolutions.net>
In-Reply-To: <43B97627.5020501@gmail.com>
References:  <43B875FD.6000102@gmail.com>	<43B8CC58.9020906@roamingsolutions.net>	<43B8D510.2010908@gmail.com>	<43B8EF40.7020508@roamingsolutions.net> <43B97627.5020501@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------050109090305010106090803
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"


   Dennis Olvany wrote:

What does your setup look like?
    

Don't have a setup, yet. In lieu of such complexity, I may abandon the
notion.

  

################ Start of IPFW rules file ###############################
################ End of IPFW rules file ###############################
    

That ruleset is seriously complex and it's especially difficult to
decipher in script form.

Any idea of the possibility of doing a reverse proxy-only lsnat?

  

   Here is a very simple version of the rules with no internal (LAN)
   servers, no proxy and no bandwidth management.
   Hope this is more understandable.
   Regards,
   Gray

--------------050109090305010106090803
Content-Type: text/plain;
 name="ipfw_simple.ruleset"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="ipfw_simple.ruleset"

#!/bin/sh
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush 
ipfw -q add 10 allow tcp from any to me 22 in
ipfw -q add 12 allow tcp from me 22 to any out

# Set rules command prefix
cmd="ipfw -q add"
bwm="ipfw -q pipe"
skip="skipto 8000"
ext_if1="rl0"     	# public interface name of NIC
ext_if2="rl0"
int_if="vr0"	# private interface name of NIC
ext_ip1="196.yy.yy.yy"
ext_ip2="196.xx.xx.xx"
ext_gw1="196.yy.yy.1"
ext_gw2="196.xx.xx.1"
lan="192.168.1.0/24"

# Setup the different Sets to be used for different connection options
ipfw -q set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
# Initially only enable set 1 and 2 and 10 when we have 2 WAN links
ipfw -q set enable 1 2 10


#################################################################
# Deny spoofed packets
$cmd 100 deny ip from any to any not antispoof in

#################################################################
# No restrictions on Loopback Interface
# Protect spoofing to localhost
$cmd allow ip from any to any via lo0
$cmd deny ip from any to 127.0.0.0/8
$cmd deny ip from 127.0.0.0/8 to any 

################################################################
# Allow the rest of the LAN traffic in and out
$cmd allow ip from any to any via $int_if

#################################################################
# Incoming traffic from internet - jump to incoming section
$cmd skipto 4000 ip from any to me in



#################################################################
# Interface facing Public Internet (Outbound Section)
#################################################################

#Deny outgoing windows connections (and whatever else you want to deny)
$cmd deny tcp from $lan to any 137,445 out
$cmd deny tcp from $lan 137,445 to any out

# Allow the rest out
$cmd $skip ip from $lan to any out

# Allow connections from me back out
$cmd $skip ip from me to any out

$cmd deny log ip from any to any out


#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# NAT inbound traffic
$cmd 4000 divert natd1 ip from any to $ext_ip1 in 
$cmd 4000 divert natd2 ip from any to $ext_ip2 in 


# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 300 deny all from 192.168.0.0/16  to any in via $ext_if1  #RFC 1918 private IP
$cmd deny all from 172.16.0.0/12,10.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3 to any in  #RFC 1918 private IP
#RFC 1918 private IP #DHCP auto-config #reserved for docs #Sun cluster #Class D & E multicast

# Deny ident
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd deny all from any to any 113,137,138,139,81 in


# Allow the rest of the traffic to the lan in
$cmd allow ip from any to $lan in

# Allow the rest of the traffic to me in
$cmd allow ip from any to me in

# Deny the rest to me
$cmd deny log ip from any to any in


###############################################################
# This is skipto location for outbound (stateful) rules
$cmd 8000 skipto 9000 tcp from any to any out setup
$cmd 8030 skipto 9000 udp from any to any out
$cmd 8040 skipto 9000 icmp from any to any out
$cmd 8050 skipto 8600 tcp from $ext_ip1,$ext_ip2 22 to any out
$cmd 8100 tee natd2 ip from any to any out
$cmd 8200 skipto 8400 ip from $ext_ip2 to any out
$cmd 8300 divert natd1 ip from any to any out
$cmd 8400 check-state
$cmd 8600 fwd $ext_gw1 tcp from $ext_ip1 22 to any out
$cmd 8600 fwd $ext_gw2 tcp from $ext_ip2 22 to any out
$cmd 8700 deny ip from any to any out
# skipto location for new outgoing connections
$cmd 9000 skipto 9500 tcp from 192.168.1.3 to any 25,110 out
$cmd 9000 skipto 9200 tcp from any to any 443,1863 out
$cmd 9000 skipto 9200 udp from any to any 80,443,1024-65535 out
$cmd 9000 skipto 9200 udp from any 80,443,1024-65535 to any out
$cmd 9000 set 10 skipto 9200 ip from any to any out
$cmd 9000 set 12 prob 0.2 skipto 9500 ip from any to any out
$cmd 9000 set 13 prob 0.3 skipto 9500 ip from any to any out
$cmd 9000 set 14 prob 0.4 skipto 9500 ip from any to any out
$cmd 9000 set 15 prob 0.5 skipto 9500 ip from any to any out
$cmd 9000 set 16 prob 0.6 skipto 9500 ip from any to any out
$cmd 9000 set 17 prob 0.7 skipto 9500 ip from any to any out
$cmd 9000 set 18 prob 0.8 skipto 9500 ip from any to any out
$cmd 9000 set 20 skipto 9500 ip from any to any out

$cmd 9200 set 1 divert natd1 ip from any to any out
$cmd 9300 set 1 fwd $ext_gw1 ip from any to any out keep-state
$cmd 9500 set 2 divert natd2 ip from any to any out
$cmd 9600 set 2 fwd $ext_gw2 ip from any to any out keep-state

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 9999 deny log all from any to any
ipfw -q delete 10
ipfw -q delete 12
################ End of IPFW rules file ###############################

--------------050109090305010106090803--




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43B9A9AB.20001>