Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 29 Dec 2001 10:50:24 -0500
From:      "Joe & Fhe Barbish" <barbish@a1poweruser.com>
To:        <mcambria@avaya.com>, "Simon 'corecode' Schubert" <corecode@corecode.ath.cx>
Cc:        "FBSD Questions" <questions@FreeBSD.ORG>
Subject:   RE: IPFW rc.firewall
Message-ID:  <LPBBIGIAAKKEOEJOLEGOEELICKAA.barbish@a1poweruser.com>
In-Reply-To: <20011229130734.596f3a12.corecode@corecode.ath.cx>

next in thread | previous in thread | raw e-mail | index | archive | help
After spending a day on this problem after posting the original
post, I worked out my own solution that address the dynamic IP addresses.

	onet="65.75.155.1/24"     # dynamic IP address range issued by my ISP
	omask="65.75.155.0"       # mask = 65.75.155.0 thru 65.75.155.255

Now even if user ppp -ddial has to redial my ISP after boot up my ipfw
rules will still protect me as I have told ipfw to use the whole class c
range of IP address my ISP uses for dynamic allocation.

Thanks to all of you who responded.
 Joe

-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Simon 'corecode'
Schubert
Sent: Saturday, December 29, 2001 7:08 AM
To: Joe & Fhe Barbish
Cc: questions@FreeBSD.ORG
Subject: Re: IPFW rc.firewall

On Fri, 28 Dec 2001 11:19:38 -0500 "Joe & Fhe Barbish"
<barbish@a1poweruser.com> wrote:

> I reviewed your tutorial. I see that it's a copy of the
> rc.firewall file with the symbolic variables for the
> "simple" network filled in for your environment. You have
> the second statement under the comments  #stop spoofing
> commented out because in a user ppp dialout to the ISP you
> are getting dynamic IP's and this rule needs {onet) & {omask)
> a static IP value, which you don't have because it always
> changes each time you dial your ISP.
>
> # Stop spoofing
>      ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
> # ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

well, yes, kinda... :)
in the first place i disabled it to enable spoofing from inside ;]
but you are right, without knowledge of the onet (which is pretty much
0/0) this rule doesn't work.

> I am in this same situation.  I think there is a way to get
> the info needed for {onet} & {omask}. The rc.conf file controls
> the startup sequence of FBSD functions. If user ppp statements
> come before the IPFW statements in rc.conf then FBSD will know
> the dynamic IP address before IPFW starts.

this is only the reason if you just dial out once the system starts. if
you dial out later your ip changes but the ruleset doesn't get loaded.

if you want to set the rules according to your current ip address you
could use a /etc/ppp/linkup script that resets the ipfw ruleset.

but with my ruleset this is not needed. i wrote it just with the use of
 ... via ${oif}
and ... keep-state

i think this is a pretty good ruleset (for nat'ed users) but it has a
disadvantage: connections time out if not used (because of the
keep-state). but i don't mind much about this stuff as i can live with
it and it improves the security (well i think it does).

cheerz
  corecode

--
/"\   http://corecode.ath.cx/
\ /
 \     ASCII Ribbon Campaign
/ \  Against HTML Mail and News


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOEELICKAA.barbish>