Here is the firewall script we use for our home network.
We did not need any rules for sl0.
I hope it helps.
Brian Beuning
Sandro Poppi wrote:
> I'm using successfully diald and masquerading/firewalling. I found out
> that I have to set up input and output rules with "ipfwadm -W" for
> both sl0 and ppp0. I can't use external ip adresses because these are
> assigned dynamically and thus can't use the -V option.
>
> I think this makes the connection slower than it should be. Does
> anyone too have such a configuration set up successfully? Maybe it
> could make sense to delete the rules for sl0 after ppp0 has been
> changed to snoop device via diald and reassign them after the link is
> brought down.
>
> Here some further facts:
> RedHat 5.2, kernel 2.0.36, diald 0.16.5a, modem connection via
> telephone line, internal IP 192.168.x.x
>
> Thanks in advance!
>
> --
> Sandro
>
> _\\|//_
> (' o-o ')
> ----------oooO-(_)-Oooo-------------
>
> "Just look at the sun and be happy!"
>
# This firewall is for a home gateway system with just a couple
# of clients. We want to allow anything from the clients out to
# the internet but not allow unsolicited internet traffic into
# our network. The protocols we use are:
# www
# ftp
# DNS name resolution (for local caching only)
# NNTP (net news)
# NTP (time)
# POP3 (for incoming e-mail)
# SMTP (for outgoing e-mail only)
# We have a DNS server running but it is caching only.
echo Start IP Firewall
NET=192.168.0.0/16
ISP=
# Flush any existing rules
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
# Turn on Masquerading
ipfwadm -F -p deny
ipfwadm -F -a accept -m -P tcp -S $NET -D 0.0.0.0/0
ipfwadm -F -a accept -m -P udp -S $NET -D 0.0.0.0/0
# Extending MASQ Timeouts
ipfwadm -M -s 7200 10 120
# The default is to deny all. Below we will open it up again for TCP
# after we have blocked unsolicited packets.
ipfwadm -I -p deny
# Unlimited traffic within the local net.
ipfwadm -I -a accept -W lo
ipfwadm -I -a accept -W eth0
# Reject local LAN addresses not originating on local LAN
# This rule suggested by Brian McCauley <[EMAIL PROTECTED]>
ipfwadm -I -a deny -S $NET -o
ipfwadm -I -a deny -S 127.0.0.0/8 -o
# Rules for TCP traffic.
# Allow ftp traffic through the SYN filter below.
# All the sites we need to access support PASSIVE mode,
# so we do not need this. It is a pretty big security
# hole anyway.
# ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 20 -D 0.0.0.0/0 1024:65535
# Allow Identd requests - mainly to keep messages out of the logs
ipfwadm -I -a accept -P tcp -W ppp0 -D 0.0.0.0/0 113
# Deny packets that originate (SYN=1,ACK=0) out in the internet.
# The -y flag only works for TCP, so make that explicit.
ipfwadm -I -a deny -P tcp -y -W ppp0 -o
# Accept all other TCP tracffic.
ipfwadm -I -a accept -P tcp
# Rules for UDP traffic
# The -S arguments on the UDP filters are dubious since someone
# sending bogus packets can set the source to whatever they want.
# Of course, they would not receive a reply, but they may not want one.
# The main reason this might help is if my ISP rejects IP traffic
# coming into the ISP with a source address of the ISP internal
# network.
# Allow DNS responses
# My ISP's name servers are 207.69.188.185, 186, and 187
# The file /etc/named.boot includes the lines
# forwarders 207.69.188.185 207.69.188.186 207.69.188.187
# options forward-only
# This keeps my named daemon from talking to any sites except my ISP
# We do not restrict destination to allow nslookup some flexibility.
ipfwadm -I -a accept -P udp -W ppp0 -S 207.69.188.0/24 domain -D 0.0.0.0/0 domain
# Allow Network Time Protocol (NTP) responces
# The file /etc/chrony.conf has the line:
# server 207.69.200.3
ipfwadm -I -a accept -P udp -W ppp0 -S 207.69.200.3/0 ntp -D 0.0.0.0/0 ntp
# Log rejected UDP packets
ipfwadm -I -a deny -P udp -o
# Limited ICMP traffic.
# The ICMP Message Types:
# 0 Echo Reply
# 3 Destination Unreachable
# 4 Source Quench
# 5 Redirect
# 8 Echo Request
# 11 Time Exceeded for a Datagram
# 12 Parameter Problem on a Datagram
# 13 Timestamp Request
# 14 Timestamp Reply
# 15 Information Request (obsolete)
# 16 Information Replay (obsolete)
# 17 Address Mask Request
# 18 Address Mask Reply
ipfwadm -I -a accept -P icmp -S 0.0.0.0/0 0 3 11 12 14 18
# Log rejected ICMP packets
ipfwadm -I -a deny -P icmp -o
# Turn on dynamic address fix-up so diald works better
echo 5 > /proc/sys/net/ipv4/ip_dynaddr
# Load modules
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ppp.o
