ipfw firewall help

Sun Oct 23 17:01:59 PDT 2005

W. D. wrote:
> At 09:36 10/21/2005, Daemon, wrote:
> 
>>Great!.  Thanks.  One possibly stupid question.  What is the "Deny
>>Spoof"?  Is that like;
>># Stop spoofing of your internal network range
>>#       ${fwcmd} add deny ip from ${iif} to any in via ${oif}
>># Stop spoofing from inside your private ip range
>>#       ${fwcmd} add deny ip from not ${iif} to any in via ${iif}
> 
> 
> 
> Hey Daemon,
> 
> Your rules snippet looks great!  I really like the way you
> have commented the lines.  When you have debugged your 
> firewall, would you please post the entire set here?  That way,
> newbies can understand better how the firewall works.  I 
> haven't seen too many examples like this.
> 
> Thanks!
> 
> Start Here to Find It Fast!™ -> http://www.US-Webmasters.com/best-start-page/
> $8.77 Domain Names -> http://domains.us-webmasters.com/
> 
> 

Sorry, I had to go out of town on Friday and just got back.  This is
what I have so far, however I can't seem to figure out the correct
syntax for my rule #20000 for the rule Graham posted before.

His rule was;
5000 nat all from any to any out via $oif

Once I figure out the correct syntax, I'll be able to incorporate the
rule set that Graham provided with some modifications.  Right now it
doesn't work correctly.  Other than rule #20000, if there are any other
rules that aren't correct or can be more streamlined, I'd welcome and
appreciate any input/advice.  By the way, thanks again Graham for the help.

############
nip="24.172.X.XX/30"		# ${nip}
oip="24.172.X.XX"		# ${oip} Static IP

oif="re0"			# ${oif} Public interface name of nic
				# card facing the public Internet

iif="re1"			# ${iif} Internal nic.

iip="172.16.140.0/24"		# ${iip} Internal Subnet.

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
	fwcmd="/sbin/ipfw -q"
	;;
*)
	fwcmd="/sbin/ipfw"
	;;
esac

############
# Flush out the list before we begin.
#
${fwcmd} -f flush

# Setup Lookback (not sure if these are in the
# correct place).
${fwcmd} add 10 pass all from any to any via lo0
${fwcmd} add 20 deny all from any to 127.0.0.0/8
${fwcmd} add 30 deny all from 127.0.0.0/8 to any

#-------------------------------------------------------------
# Stop spoofing of your internal network range and
# spoofing from inside your private ip range.
${fwcmd} add 40 deny ip from any to any not antispoof in

#-------------------------------------------------------------	
# Natd rules. See Rule 300
${fwcmd} add 50 allow all from any to any via ${iif}

${fwcmd} add 60 divert natd all from any to any in via ${oif}

#-------------------------------------------------------------
# Traffic Shaping for the internal network.

${fwcmd} add 70 pipe 1 all from ${iip} to any xmit ${oif}
${fwcmd} pipe 1 config mask src-ip 0xffffff00 bw 35Kbits/s queue 40Kbytes

${fwcmd} add 80 pipe 2 all from any to ${iip} recv ${oif}
${fwcmd} pipe 2 config mask dst-ip 0xffffff00 bw 4000Kbits/s queue 40Kbytes

${fwcmd} add 90 allow all from any to me in via ${oif}

#-------------------------------------------------------------
# Allow interal network in/out via the outside nic.
${fwcmd} add 100 allow all from any to ${iip} in via ${oif}
${fwcmd} add 200 allow all from me to any out via ${oif}

#-------------------------------------------------------------
# See Rule 20000
${fwcmd} add 300 skipto 20000 all from ${iip} to any out via ${oif}

#-------------------------------------------------------------
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
${fwcmd} add 400 deny { tcp or udp } from any to any 137,138,139,445,1080

${fwcmd} add 500 deny { tcp or udp } from any to any
1243,6776,8998,12345,31337

${fwcmd} add 600 deny icmp from any to me in icmptype 5,9,13,14,15,16,17
${fwcmd} add 700 deny icmp from any to any iplen 92

#-------------------------------------------------------------
# Block malicious connects to ssh, ftp, mail(pop/smtp/imap), and identd.
${fwcmd} add 800 deny all from "table(2,0)" to me 20-25,110,113,143
${fwcmd} add 900 deny all from "table(3,0)" to me 20-25,110,113,143

# Block malicious conects to web server ports.
${fwcmd} add 1000 deny all from "table(4,0)" to me 80,443

#-------------------------------------------------------------
# Deny any late arriving packets
${fwcmd} add 2000 deny all from any to any frag in via ${oif}

#-------------------------------------------------------------
# 5000 nat all from any to any out via $oif
# ^^^ Rule provided by Graham.
${fwcmd} add 20000 divert natd ip from any to any out via $oif

${fwcmd} add 65000 allow all from any to any out