Here are the complete firewall rules
################################################################# # No restrictions on Inside Lan Interface for private network ################################################################# pass out quick on xl0 all # production server config pass in quick on xl0 all # production server config ################################################################# # No restrictions on Loopback Interface ################################################################# pass in quick on lo0 all pass out quick on lo0 all ################################################################# # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network # or from this gateway server destine for the public internet. ################################################################# # Allow out access to my ISP's Domain name server. pass out quick on rl0 proto tcp from any to xx.168.240.5 port = 53 flags S keep state pass out quick on rl0 proto udp from any to xx.168.240.5 port = 53 keep state pass out quick on rl0 proto tcp from any to xx.168.240.2 port = 53 flags S keep state pass out quick on rl0 proto udp from any to xx.168.240.2 port = 53 keep state # Allow out access to my ISP's DHCP server for cable or DSL networks. pass out quick on rl0 proto udp from any to xx.173.0.1 port = 67 keep state pass out quick on rl0 proto udp from any to xx.39.64.1 port = 67 keep state # Allow out non-secure standard www function pass out quick on rl0 proto tcp from any to any port = 80 flags S keep state # Allow out secure www function https over TLS SSL pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state # Allow out send & get email function pass out quick on rl0 proto tcp from any to any port = 25 flags S keep state pass out quick on rl0 proto tcp from any to any port = 110 flags S keep state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) pass out quick on rl0 proto tcp from any to any port = 22 flags S keep state # Allow out non-secure Telnet pass out log quick on rl0 proto tcp from any to any port = 23 flags S keep state # Allow out FBSD CVSUP function pass out quick on rl0 proto tcp from any to any port = 5999 flags S keep state # Allow out all icmp to public Internet pass out quick on rl0 proto icmp from any to any keep state # Allow out whois for LAN PC to public Internet pass out quick on rl0 proto tcp from any to any port = 43 flags S keep state # Block and log only the first occurrence of everything # else that's trying to get out. # This rule enforces the block all by default logic. #block out log first quick on rl0 all block out log quick on rl0 all ################################################################# # Interface facing Public internet (Inbound Section) # Interrogate packets originating from the public internet # destine for this gateway server or the private network. ################################################################# # Block all inbound traffic from non-routable or reserved address spaces block in quick on rl0 from 192.168.0.0/16 to any #RFC 1918 private IP block in quick on rl0 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on rl0 from 10.0.0.0/8 to any #RFC 1918 private IP block in quick on rl0 from 127.0.0.0/8 to any #loopback block in quick on rl0 from 0.0.0.0/8 to any #loopback block in quick on rl0 from 169.254.0.0/16 to any #DHCP auto-config block in quick on rl0 from 192.0.2.0/24 to any #reserved for doc's block in quick on rl0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on rl0 from 224.0.0.0/3 to any #Class D & E multicast ##### Block a bunch of different nasty things. ############ # That I don't want to see in the log # Block frags #block in log quick on rl0 all with frags block in quick on rl0 all with frags # Block short tcp packets #block in log quick on rl0 proto tcp all with short block in quick on rl0 proto tcp all with short # block source routed packets #block in log quick on rl0 all with opt lsrr #block in log quick on rl0 all with opt ssrr block in quick on rl0 all with opt lsrr block in quick on rl0 all with opt ssrr # Block nmap OS fingerprint attempts block in quick on rl0 proto tcp from any to any flags FUP # Block anything with special options #block in log quick on rl0 all with ipopts block in quick on rl0 all with ipopts # Block public pings block in quick on rl0 proto icmp all icmp-type 8 # Block ident block in quick on rl0 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 block in quick on rl0 proto tcp/udp from any to any port = 137 block in quick on rl0 proto tcp/udp from any to any port = 138 block in quick on rl0 proto tcp/udp from any to any port = 139 block in quick on rl0 proto tcp/udp from any to any port = 81 # Block all ftp attempts to login so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 21 # Block all SSH attempts to login so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 22 # Block all telnet attempts to login so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 23 # Block all www attempts so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 80 # Block all secure www attempts so count will show in daily cron rpt block in quick on rl0 proto tcp from any to any port = 443 # Block all smtp email server attempts so count will show in daily cron rpt block in quick on rl0 proto tcp from any to any port = 25 # block range of Trojan udp ports 1021 thru 1039 # so count will show in daily cron rpt block in quick on rl0 proto udp from any to any port 1020 >< 1040 # block Trojan scan port block in quick on rl0 proto tcp from any port = 6000 to any # Allow traffic in from ISP's DHCP server. pass in quick on rl0 proto udp from xx.173.0.1 port = 67 to any keep state pass in quick on rl0 proto udp from xx.39.64.1 port = 67 to any keep state # Allow traffic in from ISP's DNS server. pass in quick on rl0 proto udp from xx.168.240.5 port = 53 to any keep state pass in quick on rl0 proto udp from xx.168.240.2 port = 53 to any keep state # Allow in testing www function because I have apache server on lan pass in log quick on rl0 proto tcp from any to any port = 6188 flags S keep state pass in log quick on rl0 proto tcp from any to 10.0.10.4 port = 80 flags S keep state # Block all upd traffic block in log quick on rl0 proto udp all #block in quick on rl0 proto udp all # Block and log only first occurrence of all remaining traffic # coming into the firewall. # This rule enforces the block all by default logic. #block in quick on rl0 all block in log quick on rl0 all -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Erik Norgaard Sent: Wednesday, March 29, 2006 2:54 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ORG Subject: Re: FBSD 6.0 ipfilter nat redirect not working. fbsd_user wrote: > # /root >ipnat -l > List of active MAP/Redirect filters: > map rl0 10.0.10.0/29 -> 0.0.0.0/32 proxy port ftp ftp/tcp > map rl0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp > map rl0 10.0.10.0/29 -> 0.0.0.0/32 > rdr rl0 0.0.0.0/0 port 6188 -> 10.0.10.4 port 80 tcp > > List of active sessions: > RDR 10.0.10.4 80 <- -> 79.69.59.49 6188 [65.45.227.95 > 2698] > MAP 10.0.10.6 1857 <- -> 79.69.59.49 1857 > [216.155.193.144 5050] > > Nothing happens. No ipf.log records on gateway box and > no ipf.log records on the LAN web server box. > There is firewall rule to log & pass from any to 10.0.10.4 port = 80 > keep state > And any packet that does not match a firewall rule get logged and > dropped. Please post your filter ruleset also. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
