Date: Tue, 24 Jun 2003 17:55:25 +0100 From: Jim Hatfield <subscriber@insignia.com> To: freebsd-security@freebsd.org Subject: Re: IPFW: combining "divert natd" with "keep-state" Message-ID: <r20hfvgjquqplipgsvmi6ho3mh7qdind1t@4ax.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com> References: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11 Jun 2003 12:20:20 +0100, in local.freebsd.security you wrote: > >Attached is the conversation I had with Luigi Rizzo exactly >three years ago on this topic. Maybe it is still helpful. Well it was indeed. The use of skipto was the clue. I didn't go with any of the setups suggested but rolled my own using that idea. Here it is, in use so far for four days with no problems: >#!/bin/sh ># ># rc.firewall for NAT'ing firewall router - dynamic rules version. ># ># JPH -- 20th Jun 2003 Created. ># >fw=3D"/sbin/ipfw -q" ># ># Interface and address definitions ># >eint=3Drl0 # External interface >iint=3Dsis0 # Internal interface >inet=3D"192.168.100.0/24" # Internal net ># ># Clear existing ruleset ># >$fw flush ># ># Transparent proxy: TCP packets to port 80 forwarded to Squid proxy ># >$fw add fwd 127.0.0.1,3128 tcp from $inet to any 80 in via $iint ># ># Internal interface and loopback interface are open ># >$fw add allow ip from any to any via $iint >$fw add allow ip from any to any via lo0 ># ># Packets still being processed are traversing the external interface ># De-NAT incoming packets to get back true destination address and port ># >$fw add divert natd ip from any to any in ># ># Dynamic rules: all outgoing packets create dynamic rules which are = matched ># by both outgoing and incoming. Matching packets skip to rule 10000 ># >$fw add check-state >$fw add skipto 10000 ip from any to any out keep-state ># ># Here we handle unsolicited incoming packets. Allow selected ones in ># and block the rest. Our first reply will create a dynamic rule. ># >$fw add allow tcp from any to any 25 in setup >$fw add allow icmp from any to any in icmptype 0,3,4,11 >$fw add allow udp from any 67 to 255.255.255.255 68 in >$fw add deny log ip from any to any ># ># Packets matched by dynamic rules are tested here. ># Since they have matched a rule they can be passed. ># Outgoing packets still need to be NAT'ed first. ># >$fw add 10000 divert natd ip from $inet to any out >$fw add allow ip from any to any I have a few extras in there that a "pure" router wouldn't need, ie the forwarding of http to a Squid cache and the acceptance of incoming SMTP, plus I have a Linksys DSL modem/bridge which broadcasts DHCPACK packets once a=20 minute so I let them in to avoid polluting the logs. The driver behind this is that I wanted to be able to pass UDP safely so I could then move on to get linuxigd working, so I can use Windows Messenger=20 to have free voice conversations with a friend a few thousand miles away. What a shame that when I finally get round to looking at linuxigd I realise that it is written to use ipf and not ipfw :-((
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?r20hfvgjquqplipgsvmi6ho3mh7qdind1t>