OK...I just my firewall from Solaris 9 to FreeBSD 5.3. There seems to be
some issues with stability of PPPoE on Solaris.
I tried to compile 4.1.7 on FreeBSD 5.3 and it failed. So for now I am just
using the bundled ipfilter (v 3.4.35)
This seems to work OK except for FTP.
I can log into the ftp server, but it fails when I try to issue in data
commands such as ls or get. I know this is something silly that I am
missing.
*******************************************************
Here are my rules (tun0 = external and xl1 = internal)
# Set default as allow nothing and log it
block in log all
# Still block external requests to the the following both don't bother
logging,
# it is filling up the logs.
block in quick on tun0 proto tcp from any to any port = 135
# Don't restrict loopback
pass out quick on lo0
pass in quick on lo0
# Firewall specific rules
pass in log first quick on xl1 proto tcp from 192.168.200.0/24 to
192.168.200.254/32 port = 23 flags S keep state
pass in log first quick on xl1 proto tcp from 192.168.200.0/24 to
192.168.200.254/32 port = 21 flags S keep state
pass in quick on xl1 proto icmp from 192.168.200.0/24 to 192.168.200.254/32
keep state
block in log quick on xl1 from 192.168.200.0/24 to 192.168.200.254/32
pass out quick on tun0 proto tcp from any to any port = 53 flags S keep
state
pass out quick on tun0 proto udp from any to any port = 53 keep state
#pass out quick on tun0 proto tcp from any to any flags S keep state
#pass out quick on tun0 proto udp from any to any keep state
pass out quick on tun0 proto icmp from any to any keep state
# Basically allow all internal traffic to go outbound, without any
restrictions
pass in quick on xl1 proto tcp from 192.168.200.0/24 to any flags S keep
state keep frags
pass in quick on xl1 proto udp from 192.168.200.0/24 to any keep state keep
frags
pass in quick on xl1 proto icmp from 192.168.200.0/24 to any keep state
# External traffic permitted in
pass in log first quick on tun0 proto tcp from any to any port = 1234 flags
S keep state keep frags
*******************************************************
Here are the nat rules...
map tun0 192.168.200.0/24 -> 0/32 portmap tcp/udp 20000:30000
map tun0 192.168.200.0/24 -> 0/32 proxy port 21 ftp/tcp
map tun0 192.168.200.0/24 -> 0/32
rdr tun0 0.0.0.0/0 port 1234 -> 192.168.200.10 port 1234
*******************************************************
Here is my ifconfig output
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::260:8ff:fe0d:2646%xl0 prefixlen 64 scopeid 0x1
ether 00:60:08:0d:26:46
media: Ethernet 10baseT/UTP (10baseT/UTP <half-duplex>)
status: active
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1492
options=9<RXCSUM,VLAN_MTU>
inet 192.168.200.254 netmask 0xffffff00 broadcast 192.168.200.255
inet6 fe80::250:4ff:fe81:6947%xl1 prefixlen 64 scopeid 0x2
ether 00:50:04:81:69:47
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet 65.95.94.111 --> 64.230.254.114 netmask 0xffffffff
Opened by PID 228
# ipfstat -iohn (taken after an FTP faulure)
0 @1 pass out quick on lo0 from any to any
0 @2 pass out quick on tun0 proto tcp from any to any port = 53 flags
S/FSRPAU keep state
50 @3 pass out quick on tun0 proto udp from any to any port = 53 keep state
0 @4 pass out quick on tun0 proto icmp from any to any keep state
52 @1 block in log from any to any
8 @2 block in quick on tun0 proto tcp from any to any port = 135
0 @3 pass in quick on lo0 from any to any
0 @4 pass in log first quick on xl1 proto tcp from 192.168.200.0/24 to
192.168.200.254/32 port = 23 flags S/FSRPAU keep
state
0 @5 pass in log first quick on xl1 proto tcp from 192.168.200.0/24 to
192.168.200.254/32 port = 21 flags S/FSRPAU keep
state
0 @6 pass in quick on xl1 proto icmp from 192.168.200.0/24 to
192.168.200.254/32 keep state
24 @7 block in log quick on xl1 from 192.168.200.0/24 to 192.168.200.254/32
8 @8 pass in quick on xl1 proto tcp from 192.168.200.0/24 to any flags
S/FSRPAU keep state keep frags
12 @9 pass in quick on xl1 proto udp from 192.168.200.0/24 to any keep state
keep frags
0 @10 pass in quick on xl1 proto icmp from 192.168.200.0/24 to any keep
state
0 @11 pass in log first quick on tun0 proto tcp from any to any port = 1234
flags S/FSRPAU keep state keep frags
0 @12 pass in log first quick on tun0 proto tcp from 209.135.64.116/32 to
any port = 3389 flags S/FSRPAU keep state keep
frags
0 @13 pass in log first quick on tun0 proto tcp from 204.50.168.60/32 to any
port = 3389 flags S/FSRPAU keep state keep
frags
0 @14 pass in log first quick on tun0 proto tcp from 216.94.20.60/32 to any
port = 3389 flags S/FSRPAU keep state keep f
rags
0 @15 pass in log first quick on tun0 proto tcp from 207.61.239.60/32 to any
port = 3389 flags S/FSRPAU keep state keep
frags
