Hello,
I installed FBSD 4.7 a couple days ago on an old P100 to replace my
linksys cable router. I've rebuilt the kernel and have done everything
else to enable the machine to act as router/firewall. The only problems
I am having is setting up the ipfw rules. I've spent the last 2 days
trying to set them up and can't get anything to work (unless of course I
set the firewall type to open). I'm to the point where I almost have no
hair left from pulling it out over the last 48hrs :) In pseudocode, this
is what I'd like to do:
allow icmp traffic in and out (certain ones that are necessary for apps
that depend on them)
allow email in and out
allow smb in via internal nic
allow limewire/gnutella in and out
allow ssh in via internal nic
allow aim in and out
allow port 80 in via internal and external nic
allow irc in and out
allow ntp in and out
default to deny
with the following rules, I haven't tested whether gnutella or smb works
but ssh works, and aim will not work.. I even verified that the aim
client is running on the proper port, but it doesnt matter.
also, with ssh.. why is it that if the firewall type is open I can
connect to the FreeBSD box instantly, but if I specify all the rules, it
takes 10+ seconds for me to get a password prompt.. any ideas?
and here is my modified version of the simple fw in /etc/rc.firewall.
Can anyone see anything wrong with the following?
# external net
oif="ep0"
onet="24.26.107"
omask="0xfffffe00"
oip="me"
#internal net
iif="xl0"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.1"
fwcmd="/sbin/ipfw"
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
${fwcmd} -f flush
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
#natd
${fwcmd} add divert natd all from any to any via ${oif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add allow icmp from any to any icmptypes 0,3,5,8,11
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
#smb
${fwcmd} add allow tcp from ${inet} to ${iip} 137-139 in via ${iif}
# Limewire/Gnutella
${fwcmd} add allow tcp from any to any 6346 in via ${oif}
${fwcmd} add allow tcp from any 6346 to any out via ${oif}
# ssh
${fwcmd} add allow log all from ${inet} 22 to ${iip} 22 in via ${iif}
# AIM
${fwcmd} add pass tcp from any to ${oip} 5190 in via ${oif}
${fwcmd} add pass tcp from any to any 5190 out via ${oif}
# Allow access to our DNS
# DO I NEED THIS IF IM NOT RUNNING A DNS SERVER?
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
# Allow access to IDENT/IRC
${fwcmd} add allow tcp from any to ${oip} 194
${fwcmd} add allow udp from any to ${oip} 194
${fwcmd} add allow tcp from any to ${oip} 113
${fwcmd} add allow udp from any to ${oip} 113
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state
${fwcmd} add allow tcp from me to any setup keep-state
${fwcmd} add allow udp from me to any keep-state
${fwcmd} add allow ip from ${inet} to any out via ${oif}
--
Thanks,
Aaron W.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
