Hello, I am trying to make a strict firewall so as to limit bandwidth costs.
I've read the howto, the faq and searched the archives (as well as posting on bulletin boards already!) but have not found out what is wrong with the following. ipf.conf: ############ # ne0 = ethernet internet link # ne1 = ethernet local network (10.10.1.0/24) link # 10.10.1.99 = firewall ip # xxx.the.ip.236 = firewall ip on ne0 ############ # the firewall is not running any services to be accessed via ne0 # the only allowed out for this system should be: # 21 ftp # 25 smtp # 110 pop3 # 80 http # 22 ssh # ?? MSN Messenger # ?? YAP Phone # 53 DNS lookups # # for port 80 only the firewall can access this (so we force LAN clients to use the cache) # for port 53 only the firewall can access this (so we force LAN clients to use our DNS server) # also icmp traffic should be allowed (for pings and traceroutes) # for the local network 10.10.1.0/24 we are running the following services: # 80 apache # 23 telnet # 22 ssh # 53 bind # 21 proftpd # 67 dhcpd # 3128 squid ################## # start by blocking all traffic on the internet interface block in on ne0 all block out on ne0 all # allow LAN users to access services above pass out quick on ne0 proto tcp from 10.10.1.0/24 to any port = 22 keep state pass out quick on ne0 proto tcp from 10.10.1.0/24 to any port = 25 keep state pass out quick on ne0 proto tcp from 10.10.1.0/24 to any port = 110 keep state pass out quick on ne0 proto tcp from 10.10.1.0/24 to any port = 21 keep state # allow FIREWALL to access more services # (I think this is where the problem is) pass out quick on ne0 proto tcp from xxx.the.ip.236 to any port = 53 keep state pass out quick on ne0 proto tcp from xxx.the.ip.236 to any port = 80 keep state # LAN setup block in on ne1 all block out on ne1 all pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 3128 keep state pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 53 keep state pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 80 keep state pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 67 keep state pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 21 keep state pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 23 keep state # What about icmp? pass out quick proto icmp from 10.10.1.0/24 to any icmp-type 8 code 0 keep state My ipnat.conf is: map ne0 10.10.1.0/24 -> 0/32 proxy port ftp ftp/tcp map ne0 10.10.1.0/24 -> 0/32 portmap tcp/udp 40000:60000 map ne0 10.10.1.0/24 -> 0/32 Now for all the rulesets I've seen before, they block bad traffic and let the rest in. I thought it would be simpler if I blocked all traffic, and let only what I knew should be coming in. Is the approach wrong? Financially the internet bills are extremely expensive in this country, so I need a very strict ruleset. Also I saw the count method in ipf which might be useful - at the moment I'm using ipaudit - how does the count method work? Many thanks in advance, this has been trailing around for a while now, but as you could guess I'm not an expert for this (I don';t undesrtand the nat part). Amadeus -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
