IPFW ip masking and stateful connections
jstarng
jstarng at gmail.com
Thu Aug 4 18:38:42 GMT 2005
two questions:
1. I'm having some trouble setting up a some rules.
i have two networks one: 192.0.0.1-192.0.0.255 and the other
192.168.1.1-192.168.1.255
I want to prevent anyone from using services (like sharing folders)
from one network to the other
i tried a line:
$c 00450 deny UDP from 192.0.0.0/16 to 192.168.1.1/16
but i think that's wrong because when i do an IPFW show it lists it as:
00450 deny udp from 192.0.0.0/16 to 192.168.0.0/16
I guess i'm not really understanding how bit masks work on ip ranges.
what's the correct range i should use
2. Also whenever i try to use stateful connections it seems that my
setup keep-state rules are ignored. The packet will be denied even
though it matches one of the "allow" rules...
additionally i never see any packet counts by the check-state rule.
here's my current ruleset
#!/bin/sh
c="ipfw add"
skip="skipto 60000"
skiplog="skipto 60002"
denylog="skipto 59999"
#Legitemate External IP's
#############################
$iDNS = "24.95.80.45,24.95.80.41"
#Legitemate Internal IP's
#############################
iClark="192.0.0.201"
iJoe="192.0.0.36"
iMikeG="192.0.0.200"
iTim="192.0.0.223"
iTroy="192.0.0.231"
iInternet="192.0.0.201,192.0.0.231"
iMe="192.168.1.212"
iMe2="192.0.0.111"
#Flush
#############################
ipfw -f -q flush #flush existing rules
#Divert
#############################
$c 00001 divert natd all from any to any
$c 00002 check-state
#Redirect traffic based on direction
#ed0 is the network with the internet connection
$c 00003 skipto 100 all from any to any in via ed0
$c 00004 skipto 200 all from any to any in via vr0
$c 00005 skipto 398 all from any to any out via ed0
$c 00006 skipto 400 all from any to any out via vr0
#In via lo0 50
#############################
$c 00007 $skip TCP from 127.0.0.1 25 to 127.0.0.1 in via lo0
#In via ed0 100
#############################
$c 00100 $skip UDP from any to 255.255.255.255 in via ed0 #Broadcast
$c 00102 $skip UDP from any 137 to 192.168.1.255 137 in via ed0 #shares
$c 00103 $skip UDP from any 138 to 192.168.1.255 138 in via ed0 #shares
$c 00104 $skip UDP from $iDNS 53 to $iInternet in via ed0 #DNS
$c 00110 $skip TCP from 192.168.1.235 to $iMe 22 in via ed0 #SSH from me
$c 00111 $skip TCP from any to $iInternet in via ed0
$c 00112 $skip TCP from any to $iMe 139 in via ed0
$c 00199 $skiplog all from any to any in via ed0
#In via vr0 200
#############################
$c 00200 $skip all from $iInternet to any in via vr0
$c 00295 $skip UDP from any to 255.255.255.255 60001 in via vr0 #Broadcast
$c 00296 $skip TCP from any to $iMe2 139 in via vr0
$c 00297 $skip UDP from any 137 to 192.0.0.255 137 in via vr0
$c 00298 $skip UDP from any 138 to 192.0.0.255 138 in via vr0
$c 00299 $skiplog all from any to any in via vr0
#out via ed0 300
#############################
$c 00398 $skip all from $iMe to any out via ed0
$c 00399 $skiplog all from any to any out via ed0
#out via vr0 400
#############################
$c 00400 $skip all from any to $iInternet out via vr0
$c 00498 $skip TCP from $iMe2 139 to any out via vr0
$c 00499 $skiplog all from any to any out via vr0
#Deny and log
$c 59999 deny log logamount 1000 all from any to any
$c 60000 allow TCP from any to any setup keep-state
$c 60001 allow UDP from any to any keep-state
$c 60002 allow log logamount 1000 TCP from any to any setup keep-state
$c 60003 allow log logamount 1000 UDP from any to any keep-state
$c 60004 deny log logamount 1000 all from any to any
ipfw zero
#eof
any help would be appreciated.
More information about the freebsd-ipfw
mailing list