Date: Tue, 8 May 2001 23:55:56 +0100 From: Ian Chilton <mailinglist@ichilton.co.uk> To: freebsd-stable@freebsd.org Subject: IPFW Questions Message-ID: <20010508235556.A4274@woody.ichilton.co.uk>
next in thread | raw e-mail | index | archive | help
Hello, I am running FreeBSD 4.3 from the stable tree. I have a few ipfw questions I wonder if someone could help with. They should be simple questions, but unfortunatly this mail got a little long! :) 1) Why are the same rules used twice? # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add divert natd all from any to any via ${oif} fi ;; esac # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} 2) What does this do?: # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established Will this let the machine itself and any NAT clients have unlimited access to the internet, without letting people make connections to services running on my gateway?? If not, how do I do this? :) If I am correct, this means I want to allow all packets but SYN packets..? 3) What does this do?: # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag 4) The only service I want to be able to access from the outside is SSH (+ the above full access from in outwards). Is this right??: # Allow setup of incoming ssh ${fwcmd} add pass tcp from any to ${oip} 22 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup 5) What's that last rule above for? Doesn't this contridict, or is it there for a reason? (got it from rc.firewall) 6) I have an outside i/f ($oif with $oip) and 3 internal i/f's (ed1, ed2 and ed3, which have $iif1, $iif2, $iif3 which have ip's $iip1, $iip2, $iip3 and network $inet1, $inet2, $inet3). WHat I want, is each host to have full NAT access, which I think I have done with: ${fwcmd} add divert natd all from any to any via ${oif} Correct? But, I don't want them to talk to each other. Will this happen automatically, or do I have to do something like: ${fwcmd} add deny all from ${inet1} to ${inet2} ${fwcmd} add deny all from ${inet2} to ${inet1} ..etc.. ? Thanks in Advance! Bye for Now, Ian \|||/ (o o) /-----------------------------ooO-(_)-Ooo----------------------------\ | Ian Chilton E-Mail: ian@ichilton.co.uk | | IRC Nick: GadgetMan Backup: ichilton@www.linux.org.uk | | ICQ: 16007717 / 104665842 Web : http://www.ichilton.co.uk | |--------------------------------------------------------------------| | For people who like peace and quiet: a phoneless cord | \--------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010508235556.A4274>