4.8 Firewall timing out

Tommy Forrest - KE4PYM tforrest at shellworld.net
Thu Apr 24 15:47:56 PDT 2003 

Hi all.  Still having some issues with IPFW in 4.8.

My main problem right now is the firewall times out ALL activity within
1-3 minutes of establishing a connection.  I'm pretty happy with the
rule base.  I've got the connectivity I need.  I just need that
connectivity to stay alive.  All stay-alive problems disappear with a
ipfw add allow all from any to any.  So I know its not the network
thats the problem.

IPDIVERT, IPFIREWALL, IPFIREWALL_VERBOSE, and
IPFIREWALL_VERBOSE_LIMIT=100 are built in the kernel with default to
deny.

I'd been working with someone off the list who'd helped me quite a lot
with these rules.  But I guess they got too busy before they could
finish helping me (which I can appreciate).

Rulebase follows.

#!/bin/sh

    fw="/sbin/ipfw"

    ifout='xl0'
    ifin='xl1'

    $fw -q -f flush
    $fw add divert natd all from any to any via "${ifout}"

    # loopback traffic
    $fw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0
    $fw add deny all from any to 127.0.0.0/8
    $fw add deny ip from 127.0.0.0/8 to any

    # pass icmp or evil things can happen
    $fw add allow icmp from any to any

    # stateful rules follow
    $fw add check-state

    # inside interface isn't limited in any way
    $fw add allow all from any to any via "${ifin}" keep-state

    #------------------#
    # outbound section #
    #------------------#

    # You might want to allow *any* sort of dns/ntp traffic, but the
following
    # seems to work fine if you increase
net.inet.ip.fw.dyn_udp_lifetime a
    # bit.  Its default is too short for some slow links (like my
dialup).
    $fw add allow udp from any to any 53,123 keep-state

    # Allow outgoing connections: ftp, ssh, telnet, mail, web, ntp and
msn-chat.
    $fw add allow tcp from any to any
21,22,23,25,80,110,123,443,1863,6667 out xmit "${ifout}" setup
keep-state

    # irc
    $fw add allow tcp from any to any 6667,6668,7325,10000 out xmit
"${ifout}" setup keep-state limit src-addr 4

    #-----------------#
    # inbound section #
    #-----------------#

    $fw add allow tcp from any to any 21,22,25 in recv "${ifout}" setup
keep-state limit src-addr 4
    $fw add allow tcp from any 20 to any 1024-49151 in recv "${ifout}"
setup keep-state limit src-addr 4

    # kazaa & msn file transfers
    $fw add allow tcp from any to any 1214 in recv "${ifout}" setup
keep-state
    $fw add allow tcp from any to any 6891-6900 in recv "${ifout}"
setup keep-state

    # irc
    $fw add allow tcp from any to any 6667,6668,7325,10000 in recv
"${ifout}" setup keep-state limit src-addr 4

    # fast reset of all auth/ident requests.
    $fw add unreach port tcp from any to any 113 in recv "${ifout}"
setup

Tommy Forrest - KE4PYM -  tforrest at shellworld.net
My two cents:
They call it "PMS" because "Mad Cow Disease" was already taken

More information about the freebsd-questions mailing list