From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 22 00:33:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8051916A4CE for ; Thu, 22 Jan 2004 00:33:26 -0800 (PST) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 491D443D4C for ; Thu, 22 Jan 2004 00:33:24 -0800 (PST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i0M8UFt4046864 for ; Thu, 22 Jan 2004 09:30:15 +0100 (CET) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i0M8UE68046856; Thu, 22 Jan 2004 09:30:14 +0100 (CET) (envelope-from tw@wsf.at) Date: Thu, 22 Jan 2004 08:30:14 -0000 To: Marc Silver , Thomas Wolf From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040122093014.1hbffi6ifnoks@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: dialup firewalling X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 08:33:26 -0000 Marc Silver schrieb: > Hi guys, > > Thanks very much. You have all been fantastic, and a great help to me. > I've revised the document to use PPP NAT, and amended the ruleset as > below: > > # Define the firewall command (as in /etc/rc.firewall) for easy > # reference. Helps to make it easier to read. > fwcmd="/sbin/ipfw" > > # Define our outside interface. With userland-ppp this > # defaults to tun0. > oif="tun0" Assuming that you are building a gateway for your lan, you will need some rules for your internal interface too, so: iif="fxp0" # whatever your internal if is ... > > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > # Allow all connections that we initiate, and keep their state, > # but deny established connections that don't have a dynamic rule. > $fwcmd add check-state Suggestion - Stop spoofing on your outside interface: $fwcmd add deny ip from any to any in via $oif not verrevpath > $fwcmd add allow ip from me to any out via $oif keep-state > $fwcmd add deny tcp from any to any established in via $oif > Somewhere, you have to allow the traffic lan -> wan to enter your gateway: $fwcmd add allow ip from any to not me in via $iif (if you allow your lan to access all services on your gateway, you could also do: $fwcmd add allow ip from any to any via $iif) allowing traffic via lo0 as Tony suggested is also a good idea.. $fwcmd add allow all from any to any via lo0 $fwcmd add deny all from any to 127.0.0.0/8 $fwcmd add deny ip from 127.0.0.0/8 to any > # Allow internet users to connect to the port 22 and 80. > # This example specifically allows connections to the sshd and a > # webserver. > $fwcmd add allow tcp from any to me dst-port 22,80 in via $oif setup keep-state If you do not have the 'any to any via $iif' - rule, you should specify the services on the gateway allowed for the lan: $fwcmd add allow tcp from any to me dst-port 22,80 in via $iif setup keep-state > > # Allow ICMP packets: remove type 8 if you don't want your host > # to be pingable. > $fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12 > > # Deny and log all the rest. > $fwcmd add deny log ip from any to any Personally, I prefer to 'reset' or 'unreach' instead of 'deny' but that's a matter of personal taste. I suggest to reset at least incoming packets to port 113, avoiding delays when accessing your mailserver. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4