ipfw rules problem
lysergius2001
lysergius2001 at gmail.com
Sat May 24 21:35:58 UTC 2008
Hi
I am having a problem with my rule set. For some reason the who accesses
from my local host, router and other machine on my local net are are being
rejected. I have tried opening the port 513 but somehow the rules set does
not see this.
Any ideas?
---------------------------------------------------------------#
# #
# IPFW Firewall Rules (ipfw.rules_180508) #
# #
#-----------------------------------------------------------------------#
#!/bin/sh
#-----------------------------------------------------------------------#
# Flush out the list before we begin. #
#-----------------------------------------------------------------------#
ipfw -q -f flush
#-----------------------------------------------------------------------#
# Reset logging #
#-----------------------------------------------------------------------#
ipfw -q resetlog
#-----------------------------------------------------------------------#
# Set rules command prefix #
#-----------------------------------------------------------------------#
cmd="ipfw -q add"
#-----------------------------------------------------------------------#
# Interface names #
#-----------------------------------------------------------------------#
pif="ath0" # public interface name of NIC facing the public Internet
iif="nve0" # public interface name of NIC facing the private LAN
lif="lo0" # Loopback
#-----------------------------------------------------------------------#
# DYNAMIC RULES #
#-----------------------------------------------------------------------#
$cmd 0010 check-state
#-----------------------------------------------------------------------#
# LOOPBACK INTERFACE 127.0.0.1 (lo0) "$lif" #
# #
# Purpose : allow Loopback and Deny Loopback Spoofing #
#-----------------------------------------------------------------------#
#---------------#
# INBOUND #
#---------------#
$cmd 0020 allow all from 127.0.0.1 to me in via "$lif"
$cmd 0030 allow all from me to 127.0.0.1 out via "$lif"
$cmd 0040 allow tcp from 127.0.0.1 to 127.0.0.1 111 keep-state # Allow RPC
from Loopback
$cmd 0050 allow tcp from 127.0.0.1 to 127.0.0.1 113 keep-state # Allow
Identd from loopback
#---------------#
# OUTBOUND #
#---------------#
$cmd 0060 allow all from 127.0.0.1 to me in via "$lif"
$cmd 0070 allow all from me to 127.0.0.1 out via "$lif"
#-----------------------------------------------------------------------#
# INTERNAL NETWORK 10.0.0.4 (nve0) "$iif" #
# #
# Object : No restrictions on LAN Interface #
#-----------------------------------------------------------------------#
#---------------#
# INBOUND #
#---------------#
$cmd 0100 allow all from 10.0.0.0/8 to me in via $iif
$cmd 0200 deny all from 192.168.2.1 to any in via $iif
#---------------#
# OUTBOUND #
#---------------#
$cmd 0300 allow all from me to 10.0.0.0/8 out via $iif
#-----------------------------------------------------------------------#
# EXTERNAL NETWORK 192.168.2.1 (ath0) "$pif" #
# #
# Object : #
#-----------------------------------------------------------------------#
#---------------#
# INBOUND #
#---------------#
$cmd 01000 allow tcp from any to me established
$cmd 01010 allow tcp from any to me 21 in via $pif # FTP
$cmd 01020 allow tcp from any to me 22 in via $pif setup keep-state # SSH
$cmd 01030 allow udp from any to me 25 in via $pif setup keep-state # SMTP
$cmd 01040 allow tcp from any to me 53 in via $ pif setup keep-state # DNS
$cmd 01050 allow udp from any to me 53 in via $pif keep-state
$cmd 01060 allow tcp from any to me 80 in via $pif setup keep-state #
HTTP/WWW
$cmd 01070 allow tcp from any to me 110 in via $pif setup keep-state # POP3
$cmd 01080 allow udp from any to me 161 in via $pif keep-state # SNMP
$cmd 01090 allow udp from any to me 27015 in via $pif keep-state #
Unassigned
# Allow all IPv6 packets through - they are handled by the separate
# ipv6 firewall rules in rc.firewall6.
$cmd 01100 deny ipv6 from any to any
$cmd 01110 deny all from 0.0.0.0/8 to me in via $pif #loopback
$cmd 01120 deny all from any to 0.0.0.0/8 in via $pif
$cmd 01130 deny all from any to 127.0.0.1/8 in via $pif
$cmd 01140 deny all from 127.0.0.0/8 to me in via $pif #loopback
$cmd 01150 deny all from any to 10.0.0.0/8 in via $pif
$cmd 01160 deny all from 10.0.0.4 to any in via $pif
$cmd 01170 deny all from 10.0.0.0/8 to me in via $pif #RFC 1918
private IP
$cmd 01180 deny all from any to 172.16.0.0/12 in via $pif
$cmd 01190 deny all from 172.16.0.0/12 to me in via $pif #RFC 1918
private IP
$cmd 01200 deny all from any to 169.254.0.0/16 in via $pif
$cmd 01210 deny all from 192.168.0.0/16 to me in via $pif #RFC 1918
private IP
$cmd 01220 deny all from any to 224.0.0.0/4 in via $pif
$cmd 01230 deny all from any to 240.0.0.0/4 in via $pif
$cmd 01240 deny all from 169.254.0.0/16 to me in via $pif #DHCP
auto-config
$cmd 01250 deny all from 192.0.2.0/24 to me in via $pif #reserved for
docs
$cmd 01260 deny all from any to 192.0.2.0/24 in via $pif
$cmd 01270 deny all from 204.152.64.0/23 to me in via $pif #Sun cluster
interconnect
$cmd 01280 deny all from 224.0.0.0/3 to me in via $pif #Class D & E
multicast
$cmd 01290 deny icmp from any to me in via $pif # Deny public pings
$cmd 01300 deny tcp from any to me 113 in via $pif # Deny ident
$cmd 01310 deny tcp from any to me 137 in via $pif # Netbios service=name
$cmd 01320 deny tcp from any to me 138 in via $pif # Netbios
service=datagram
$cmd 01330 deny tcp from any to me 139 in via $pif # Netbios
service=session
$cmd 01340 deny tcp from any to me 81 in via $pif # Unassigned
$cmd 01350 deny all from any to me frag in via $pif # Deny any late
arriving packets
$cmd 01360 deny tcp from any to me established in via $pif
#---------------#
# OUTBOUND #
#---------------#
$cmd 01370 deny all from 0.0.0.0/8 to any out via $pif
$cmd 01380 deny log all from 127.0.0.1/8 to any out via $pif
$cmd 01390 deny log all from 10.0.0.0/8 to any out via $pif
$cmd 01400 deny tcp from any to me 25 out via $pif setup keep-state
$cmd 01419 deny tcp from any to me 110 out via $pif setup keep-state
$cmd 01420 allow all from me to any out via $pif keep-state
$cmd 01430 allow icmp from me to any out via $pif
$cmd 01440 allow tcp from 192.168.2.1 53 out via $pif setup keep-state #
DNS
$cmd 01450 allow udp from 192.168.2.1 53 out via $pif keep-state # DNS
$cmd 01460 allow udp from any 68 to 192.168.2.1 67 out via $pif keep-state
# Bootstrap Protocol Server
$cmd 01470 allow tcp from me to any 21 out via $pif # FTP
$cmd 01480 allow udp from me to any 53 out via $pif keep-state # DNS
$cmd 01490 allow udp from me to any 53 out keep-state
$cmd 01500 allow tcp from me to any 80 out via $pif setup keep-state #
Allow out non-secure standard www function
$cmd 01510 allow tcp from any to any 443 out via $pif setup keep-state #
Allow out secure www function https over TLS SSL
$cmd 01520 allow tcp from me to any out via $pif setup keep-state uid root
# Allow out FBSD (make install & CVSUP) functions
$cmd 01530 allow icmp from me to any out via $pif keep-state # Allow out
ping
$cmd 01540 allow tcp from me to any 37 out via $pif setup keep-state #
Allow out Time
$cmd 01550 allow tcp from me to any 119 out via $pif setup keep-state #
Allow out nntp news (i.e. news groups 119))
$cmd 01560 allow tcp from me to any 22 out via $pif setup keep-state #
Allow out secure FTP, Telnet, and SCP
$cmd 01570 allow tcp from me to any 43 out via $pif setup keep-state #
Allow out whois
$cmd 01580 deny log udp from any to me in
$cmd 01590 deny log udp from any to me out
$cmd 01600 deny log udp from me to any in
$cmd 01610 deny log udp from me to any out
$cmd 01620 deny log ip from any to me in
$cmd 01630 deny log ip from any to me out
$cmd 01640 deny log ip from me to any in
$cmd 01650 deny log ip from me to any out
#-------------------------------------------------------------------------------#
# Everything else is denied by default #
# deny and log all packets that fell through to see what they are #
#-------------------------------------------------------------------------------#
$cmd 02000 deny log all from any to any
#-------------------------# End of IPFW rules file
#----------------------------#
--
Lysergius says "Stay light and trust gravity"
More information about the freebsd-ipfw
mailing list