IPFW problem
Dennis Olvany
dennisolvany at gmail.com
Sun Mar 12 18:28:54 UTC 2006
You need to reconsider the entire ruleset. Begin with a structured
ruleset such as the following and build from there. Use a discrete
ruleset for the router host.
check-state
allow ip from me to any keep-state
deny ip from me to any
allow icmp from any to me icmptypes 3,4,8,11 keep-state
deny ip from any to me
allow ip from 192.168.1.0/24 to any keep-state
deny ip from 192.168.1.0/24 to any
allow icmp from any to 192.168.1.0/24 3,4,8,11 keep-state
deny ip from any to 192.168.1.0/24
[default deny]
1.
/etc/rc .conf
2.
3.
defaultrouter="192.168.0.1"
4.
gateway_enable="YES"
5.
hostname="gateway.myatt.co.za"
6.
ifconfig_rl0="inet 192.168.0.2 netmask 255.255.255.0"
7.
ifconfig_rl1="inet 192.168.1.100 netmask 255.255.255.0"
8.
linux_enable="YES"
9.
moused_enable="YES"
10.
sshd_enable="YES"
11.
usbd_enable="YES"
12.
firewall_enable="YES"
13.
#firewall_type="OPEN"
14.
firewall_script="/etc/ipfw.rules"
15.
firewall_quiet="NO"
16. RULESET HAS LOGGING RULES
firewall_logging="NO"
17. RULESET HAS NO DIVERT RULE
natd_program="/sbin/natd"
18.
natd_enable="YES"
19.
natd_interface="rl0"
20.
natd_flags="-f /etc/natd.conf"
21.
sendmail_submit_enable="NO"
22.
sendmail_outbound_enable="NO"
23.
sendmail_msp_queue_enable="NO"
24.
25.
/etc/natd.conf
26.
27.
interface rl0
28.
use_sockets yes
29.
same_ports yes
30.
log
31.
32.
/etc/ipfw.rules
33.
34.
ipfw -q -f flush
35.
cmd="ipfw -q add"
36.
pif="rl0"
37. BAD
$cmd 00005 allow all from any to any via rl1
38.
$cmd 00010 allow all from any to any via lo0
39.
$cmd 00015 check-state
40. CAT IPs... SHOULD BE UDP, EH.
$cmd 00110 allow tcp from any to 196.2.48.227 53 out via $pif
setup keep-state
41.
$cmd 00111 allow tcp from any to 196.2.43.140 53 out via $pif
keep-state
42. CAT PORT NUMBERS
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
43.
$cmd 00220 allow tcp from any to any 443 out via $pif setup
keep-state
44.
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
45.
$cmd 00231 allow tcp from any to any 110 out via $pif setup
keep-state
46.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state
uid root
47.
$cmd 00250 allow icmp from any to any out via $pif keep-state
48.
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state
49.
$cmd 00270 allow tcp from any to any 119 out via $pif setup
keep-state
50.
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state
51.
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state
52.
$cmd 00299 deny log all from any to any out via $pif
53. 53-61 USELESS
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif
54.
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif
55.
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif
56.
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif
57.
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif
58.
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif
59.
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif
60.
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif
61.
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif
62.
$cmd 00310 deny icmp from any to any in via $pif
63.
$cmd 00315 deny tcp from any to any 113 in via $pif
64.
$cmd 00320 deny tcp from any to any 137 in via $pif
65.
$cmd 00321 deny tcp from any to any 138 in via $pif
66.
$cmd 00322 deny tcp from any to any 139 in via $pif
67.
$cmd 00323 deny tcp from any to any 81 in via $pif
68.
$cmd 00330 deny all from any to any frag in via $pif
69.
$cmd 00332 deny tcp from any to any established in via $pif
70.
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit
src-addr 2
71.
$cmd 00499 deny log all from any to any in via $pif
72.
$cmd 00999 deny log all from any to any
More information about the freebsd-net
mailing list