Date: Thu, 4 Aug 2005 14:38:40 -0400 From: jstarng <jstarng@gmail.com> To: freebsd-ipfw@freebsd.org Subject: IPFW ip masking and stateful connections Message-ID: <2d3ab026050804113845d75cad@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
two questions: 1. I'm having some trouble setting up a some rules. i have two networks one: 192.0.0.1-192.0.0.255 and the other 192.168.1.1-192.168.1.255 I want to prevent anyone from using services (like sharing folders) from one network to the other i tried a line: $c 00450 deny UDP from 192.0.0.0/16 to 192.168.1.1/16 but i think that's wrong because when i do an IPFW show it lists it as: 00450 deny udp from 192.0.0.0/16 to 192.168.0.0/16 I guess i'm not really understanding how bit masks work on ip ranges. what's the correct range i should use 2. Also whenever i try to use stateful connections it seems that my setup keep-state rules are ignored. The packet will be denied even though it matches one of the "allow" rules... additionally i never see any packet counts by the check-state rule. here's my current ruleset #!/bin/sh c=3D"ipfw add" skip=3D"skipto 60000" skiplog=3D"skipto 60002" denylog=3D"skipto 59999" #Legitemate External IP's ############################# $iDNS =3D "24.95.80.45,24.95.80.41" #Legitemate Internal IP's ############################# iClark=3D"192.0.0.201" iJoe=3D"192.0.0.36" iMikeG=3D"192.0.0.200" iTim=3D"192.0.0.223" iTroy=3D"192.0.0.231" iInternet=3D"192.0.0.201,192.0.0.231" iMe=3D"192.168.1.212" iMe2=3D"192.0.0.111" #Flush ############################# ipfw -f -q flush #flush existing rules #Divert ############################# $c 00001 divert natd all from any to any $c 00002 check-state #Redirect traffic based on direction #ed0 is the network with the internet connection $c 00003 skipto 100 all from any to any in via ed0 $c 00004 skipto 200 all from any to any in via vr0 $c 00005 skipto 398 all from any to any out via ed0 $c 00006 skipto 400 all from any to any out via vr0 #In via lo0 50 ############################# $c 00007 $skip TCP from 127.0.0.1 25 to 127.0.0.1 in via lo0 #In via ed0 100 ############################# $c 00100 $skip UDP from any to 255.255.255.255 in via ed0 #Broadcast $c 00102 $skip UDP from any 137 to 192.168.1.255 137 in via ed0 #shares $c 00103 $skip UDP from any 138 to 192.168.1.255 138 in via ed0 #shares $c 00104 $skip UDP from $iDNS 53 to $iInternet in via ed0 #DNS $c 00110 $skip TCP from 192.168.1.235 to $iMe 22 in via ed0 #SSH from me $c 00111 $skip TCP from any to $iInternet in via ed0 $c 00112 $skip TCP from any to $iMe 139 in via ed0 $c 00199 $skiplog all from any to any in via ed0 #In via vr0 200 ############################# $c 00200 $skip all from $iInternet to any in via vr0 $c 00295 $skip UDP from any to 255.255.255.255 60001 in via vr0 #Broadcast $c 00296 $skip TCP from any to $iMe2 139 in via vr0 $c 00297 $skip UDP from any 137 to 192.0.0.255 137 in via vr0 $c 00298 $skip UDP from any 138 to 192.0.0.255 138 in via vr0 $c 00299 $skiplog all from any to any in via vr0 #out via ed0 300 ############################# $c 00398 $skip all from $iMe to any out via ed0 $c 00399 $skiplog all from any to any out via ed0 #out via vr0 400 ############################# $c 00400 $skip all from any to $iInternet out via vr0 $c 00498 $skip TCP from $iMe2 139 to any out via vr0 $c 00499 $skiplog all from any to any out via vr0 #Deny and log $c 59999 deny log logamount 1000 all from any to any $c 60000 allow TCP from any to any setup keep-state $c 60001 allow UDP from any to any keep-state $c 60002 allow log logamount 1000 TCP from any to any setup keep-state $c 60003 allow log logamount 1000 UDP from any to any keep-state $c 60004 deny log logamount 1000 all from any to any ipfw zero #eof any help would be appreciated.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2d3ab026050804113845d75cad>