Date: Thu, 24 Apr 2003 18:48:08 -0400 From: "Tommy Forrest - KE4PYM" <tforrest@shellworld.net> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: 4.8 Firewall timing out Message-ID: <200304242247.h3OMlsPu044224@server1.shellworld.net>
next in thread | raw e-mail | index | archive | help
Hi all. Still having some issues with IPFW in 4.8.
My main problem right now is the firewall times out ALL activity within
1-3 minutes of establishing a connection. I'm pretty happy with the
rule base. I've got the connectivity I need. I just need that
connectivity to stay alive. All stay-alive problems disappear with a
ipfw add allow all from any to any. So I know its not the network
thats the problem.
IPDIVERT, IPFIREWALL, IPFIREWALL_VERBOSE, and
IPFIREWALL_VERBOSE_LIMIT=100 are built in the kernel with default to
deny.
I'd been working with someone off the list who'd helped me quite a lot
with these rules. But I guess they got too busy before they could
finish helping me (which I can appreciate).
Rulebase follows.
#!/bin/sh
fw="/sbin/ipfw"
ifout='xl0'
ifin='xl1'
$fw -q -f flush
$fw add divert natd all from any to any via "${ifout}"
# loopback traffic
$fw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0
$fw add deny all from any to 127.0.0.0/8
$fw add deny ip from 127.0.0.0/8 to any
# pass icmp or evil things can happen
$fw add allow icmp from any to any
# stateful rules follow
$fw add check-state
# inside interface isn't limited in any way
$fw add allow all from any to any via "${ifin}" keep-state
#------------------#
# outbound section #
#------------------#
# You might want to allow *any* sort of dns/ntp traffic, but the
following
# seems to work fine if you increase
net.inet.ip.fw.dyn_udp_lifetime a
# bit. Its default is too short for some slow links (like my
dialup).
$fw add allow udp from any to any 53,123 keep-state
# Allow outgoing connections: ftp, ssh, telnet, mail, web, ntp and
msn-chat.
$fw add allow tcp from any to any
21,22,23,25,80,110,123,443,1863,6667 out xmit "${ifout}" setup
keep-state
# irc
$fw add allow tcp from any to any 6667,6668,7325,10000 out xmit
"${ifout}" setup keep-state limit src-addr 4
#-----------------#
# inbound section #
#-----------------#
$fw add allow tcp from any to any 21,22,25 in recv "${ifout}" setup
keep-state limit src-addr 4
$fw add allow tcp from any 20 to any 1024-49151 in recv "${ifout}"
setup keep-state limit src-addr 4
# kazaa & msn file transfers
$fw add allow tcp from any to any 1214 in recv "${ifout}" setup
keep-state
$fw add allow tcp from any to any 6891-6900 in recv "${ifout}"
setup keep-state
# irc
$fw add allow tcp from any to any 6667,6668,7325,10000 in recv
"${ifout}" setup keep-state limit src-addr 4
# fast reset of all auth/ident requests.
$fw add unreach port tcp from any to any 113 in recv "${ifout}"
setup
Tommy Forrest - KE4PYM - tforrest@shellworld.net
My two cents:
They call it "PMS" because "Mad Cow Disease" was already taken
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304242247.h3OMlsPu044224>