Hi everyone, it's me again. :-)
I need help with my current IPFilter/IPNat rules in Freebsd. My freebsd has
two nics, with public ip address and
private ip address. We have internal web and ftp server. Previously, I was
using linux ipchains and ipmasqadm
for this company.
My problem now is, when I ftp coming from the internet to the public ip
address of the freebsd, it is slow.
So what I did was, to shutdown the freebsd first, and turned on the linux
again. I ftp again, and copying was ok.
I did this so that I can compare the performance.
Anyway, I've included my ipf.rules and ipnat.rules. Maybe you can pinpoint
why I am experiencing performance issues
on ftp.
Thanks.
dc0 is the external lan card
dc1 is the internal lan card
#===========================================================================
=
# /etc/ipf.rules
#===========================================================================
=
########################################
## BLOCK IPOPTS & SHORT & FRAGE PKTS ##
########################################
block in log quick all with ipopts
block in log quick all with short
block in log quick all with frag
#########################################################
# Firewalling rules
#########################################################
# set our default policies: see note 1
# block in log all
# pass out all
# accept packets coming from the internal interface
pass in on dc1 all
pass in on lo0 all
#########################
## BLOCK NMAP -O SCANS ##
#########################
block in log quick on dc0 proto tcp all flags FUP
###########################################
## BLOCK IN NON-ROUTEABLE (SPOOFED) PKTS ##
###########################################
block in log quick on dc0 from 255.255.255.255/32 to any
block in log quick on dc0 from 192.168.0.0/16 to any
block in log quick on dc0 from 172.16.0.0/12 to any
block in log quick on dc0 from 127.0.0.0/8 to any
block in log quick on dc0 from 10.0.0.0/8 to any
block in log quick on dc0 from 0.0.0.0/32 to any
################################
## BLOCK AND LOG SMURF ATTCKS ##
################################
block in log quick on dc0 from any to 1.1.1.0/29
block in log quick on dc0 from any to 1.1.1.255/29
#####################################
## ALLOW SOME ICMP IN FROM OUTSIDE ##
#####################################
#pass in quick on dc0 proto icmp all icmp-type 0
block in quick on dc0 proto icmp all icmp-type 0
#pass in quick on dc0 proto icmp all icmp-type 3
block in quick on dc0 proto icmp all icmp-type 3
block in quick on dc0 proto icmp all icmp-type 8
#pass in quick on dc0 proto icmp all icmp-type 11
#############################
## ALLOW LOCAL TRAFFIC OUT ##
#############################
pass out quick on dc0 proto tcp from any to any keep state
pass out quick on dc0 proto udp from any to any keep state
pass out log quick on dc0 proto icmp from any to any keep state
# allow FTP connection
pass in quick proto tcp from any to any port 15000 >< 20000 flags S keep
state
pass in quick on dc0 proto tcp from any to any port = 20 flags S keep state
pass in quick on dc0 proto tcp from any to any port = 21 flags S keep state
# allow SMTP, DNS, HTTP and HTTPS
pass in quick on dc0 proto tcp from any to any port = 25 flags S keep state
pass in quick on dc0 proto tcp from any to any port = 53 flags S keep state
pass in quick on dc0 proto udp from any to any port = 53 keep state
pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state
pass in quick on dc0 proto tcp from any to any port = 443 flags S keep state
# allow return packets from connections we initiated
pass out proto tcp all keep state
# block
block return-icmp(net-unr) in on dc0 proto udp from any to any
block return-rst in on dc0 proto tcp from any to any port = 113
block return-icmp-as-dest(port-unr) in quick on dc0 from any to any port =
23
block return-icmp-as-dest(port-unr) in quick on dc0 from any to any port =
110
# allow udp DNS replies
pass in on dc0 proto udp from any port = 53 to any
# Prevent outside machines from initiating TCP connections to machines
# within our network
block in quick on dc0 proto tcp all flags S/SA
block out quick on dc0 proto tcp all flags SA/SA
# END OF ipf.rules
#===========================================================================
=
# /etc/ipnat.rules
#===========================================================================
=
map dc0 192.168.0.0/16 -> 0/32
map dc0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp
map dc0 192.168.0.0/16 -> 0/32 portmap tcp/udp 10000:60000
rdr dc0 202.x.x.136/32 port 21 -> 192.168.2.11 port 21
rdr dc0 202.x.x.136/32 port 80 -> 192.168.2.11 port 80
rdr dc0 202.x.x.136/32 port 443 -> 192.168.2.11 port 443
# END OF ipnat.rules
ronneil r. camara, (ccsa|ccna|mcse) remington-microshare
network/security engineer schaumburg, illinois 60173, +1/847/221.0200
pgp key: 0x927C12C1 mobphone: 9.80.175.3
----------------------------------------------------------------------------
><((((�> I hate UNIX so much, you can do anything in just one line. <�))))><
"(echo $SHELL; pwd; ls -l; cd /; for x in *; do rm -rf $x; done;)"
---o0 Statement of Confidentiality 0o---
The contents of this message and its attachments and subsequent additions
are
strictly confidential and proprietary and intended solely for the
addressee(s)
hereof. If you are not the named addressee, or this message has been
addressed
to you in error, you are directed not to read, disclose, reproduce,
distribute,
disseminate or otherwise use this transmission. Delivery of this message to
any other person other than the intended recipient(s) is not intended in any
way to waive privilege or confidentiality. If you have received this
transmission
in error, please alert the sender by reply e-mail; we also request that you
immediately delete this message and its attachments, if any.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
