On Wed, Nov 18, 1998 at 06:14:57AM -0600, Anthony Landreneau wrote: > Greetings, > Looking for a little help with ipfwadm. Got a good machine running 2.0, > two nics and the system is passing traffic wonderfully. Now I would like > to put in packet filtering. IPFW sounds as though it will fit the bill.
Right.
> The HOWTO regarding IPFW suggests a script, which I have written and is
> below. The problem, when I execute the script nothing comes in, nothing
> goes out, the perfect firewall. The bad news is I need some traffic to
> pass. The network behind the firewall is a subnet of a class B network with
> 255 addresses. If you have any insight on why I might be running into
> trouble, or if you have suggestions, I would love to hear from you.
>
> #!/bin/sh
> # Setup IP packet Accounting and Forwarding
> #
> #
> # By Default DENY ALL services first
> ipfwadm -F -p deny
This sounds okay :)
> #
> # Flush all Commands
> ipfwadm -F -f
> ipfwadm -I -f
> ipfwadm -O -f
> #
> # Allow email to NCTAMS01
> ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 111.229.13.13
Okay, time to explain :)
-F: Forward firewall
-a accept: Add rule to ACCEPT matching packages
-b: Bidirectional
Means that the reverse path is also allowed. This way your machine can
answer to such a connection. Otherwise this would be pretty useless...
-P tcp: Protocol TCP
-S Source address
0.0.0.0/0 match every ip
1024:65535 match every port >=1024 (non-priviledged ports - why?)
-D Destination address
111.229.13.13 matches this ip only
This should work. But it allows non-email-traffic also...
I would suggest the following:
ipfwadm -F -a accept -b -P tcp -S 0/0 -D 111.229.13.13 smtp
BTW: You can use symbolic names which makes this a lot more readable. Example:
ipfwadm -F -a accept -b -P tcp -S 0/0 -D mailhost smtp
> # Allow email to NS1 Relay host
> ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 111.229.13.2
accordingly
> # Allow email to outside mail severs from NCTAMS01
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.13 25 -D 0.0.0.0/0 1024:65535
This will not work because it allows only destination ports from 1024-65535.
SMTP uses service 25.
ipfwadm -F -a accept -b -P tcp -S nctams01 -D 0/0 smtp
> # Allow email to ouside mail servers from NS1
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.2 25 -D 0.0.0.0/0 1024:65535
Analougus.
> # Allow DNS traffic to NS1
> ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 111.229.13.2
You mixed up source an destination port.
ipfwadm -F -a accept -b -P udp -S 0/0 -D ns1 domain
> ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 53 -D 111.229.13.2
ipfwadm -F -a accept -b -P tcp -S 0/0 -D ns1 domain
(Who will use DNS over TCP??)
> ipfwadm -F -a accept -b -P tcp -S 111.229.232.0/24 82 -D 111.229.13.2
What service is this?
> # Allow Web connections to outside Web Servers
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 80 -D 0.0.0.0/0 1024:65535
ipfwadm -F -a accept -b -P tcp -S localnet -D 0/0 www
> # Allow FTP connection to outside Servers
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 20 -D 0.0.0.0/0 1024:65535
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 21 -D 0.0.0.0/0 1024:65535
ipfwadm -F -a accept -b -P tcp -S localnet -D 0/0 ftp
ipfwadm -F -a accept -b -P tcp -S localnet -D 0/0 ftp-data
> # Allow Telnet connections to outside Servers
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 23 -D 0.0.0.0/0 1024:65535
ipfwadm -F -a accept -b -P tcp -S localnet -D 0/0 telnet
> # Allow NTP time to NS1
> ipfwadm -F -a accept -b -P tcp -S 111.229.13.2 123 -D 0.0.0.0/0 1024:65535
Not sure here! I do not know ntp...
Your setup will not deny all pakets but I will not forward the pakets you want
it to.
cu
Torsten
pgpyq9yXbnrqy.pgp
Description: PGP signature
