Please check my IPFW ruleset
[resending, doesn't seem to have gotten through] I'm making some ipfw rules, and I would appreciate if someone could check these for me. My intention is to create a replacement for a hardware router, which basically works by allowing all outbound traffic, blocking all unauthorized/unrequested inbound traffic, and has a setting (the so called DMZ) to redirect all the unauthorized/unrequested packets to a local computer. Plus I want to add something like remote telnet/ssh capabilities to override the DMZ. | ipfw.rules | #!/bin/sh dns=195.228.240.249,195.228.242.180 lan=192.168.123.0/24 ext=tun0 int=rl0 ipfw=ipfw -q add=$ipfw add allow=$add allow block=$add deny nat=$add divert natd check=$add check-state pipe=$add pipe fa=from any ta=to any fata=$fa $ta reserved=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3 $ipfw -f flush $allow all $fata via lo0 $allow all $fata via $int # INBOUND # $block all $fa to $reserved in via $ext # ISP fuckup? $nat all $fata in via $ext $check $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext # :: DEFINE SOME INBOUND SERVICES HERE :: #$allow tcp $fa to me 80 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 22 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 23 in via $ext setup limit src-addr 4 $block all $fata in via $ext # OUTBOUND # # :: DEFINE SOME RESTRICTIONS HERE ? :: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext $block $fata | eof ipfw.rules | OK, questions... # ISP fuckup? - does it make sense to defend against my ISP hacking me? What does divert natd actually do? Does it only change the IP header? Can I move the three lines $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext to ahead of $nat all $fata in via $ext ? I'm curious about this one: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext For an outbound packet, rules should be keep-state, divert, allow, in this order, as far as I know. What about these lines? Uhm, ed0 is my network card doing PPPoE. How do I allow it to do PPPoE traffic only? Did I miss anything? Some other IPFW questions: deny ip == deny all? Why do I have to write from any to any all the time, when it just means independently of source and destination? Why can't I write just drop all? Thank you very very much in advance :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Please check my IPFW ruleset
I'm making some ipfw rules, and I would appreciate if someone could check these for me. My intention is to create a replacement for a hardware router, which basically works by allowing all outbound traffic, blocking all unauthorized/unrequested inbound traffic, and has a setting (the so called DMZ) to redirect all the unauthorized/unrequested packets to a local computer. Plus I want to add something like remote telnet/ssh capabilities to override the DMZ. | ipfw.rules | #!/bin/sh dns=195.228.240.249,195.228.242.180 lan=192.168.123.0/24 ext=tun0 int=rl0 ipfw=ipfw -q add=$ipfw add allow=$add allow block=$add deny nat=$add divert natd check=$add check-state pipe=$add pipe fa=from any ta=to any fata=$fa $ta reserved=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3 $ipfw -f flush $allow all $fata via lo0 $allow all $fata via $int # INBOUND # $block all $fa to $reserved in via $ext # ISP fuckup? $nat all $fata in via $ext $check $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext # :: DEFINE SOME INBOUND SERVICES HERE :: #$allow tcp $fa to me 80 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 22 in via $ext setup limit src-addr 4 #$allow tcp $fa to me 23 in via $ext setup limit src-addr 4 $block all $fata in via $ext # OUTBOUND # # :: DEFINE SOME RESTRICTIONS HERE ? :: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext $block $fata | eof ipfw.rules | OK, questions... # ISP fuckup? - does it make sense to defend against my ISP hacking me? What does divert natd actually do? Does it only change the IP header? Can I move the three lines $block all $fata frag in via $ext $block tcp $fata established in via $ext $block all from $reserved in via $ext to ahead of $nat all $fata in via $ext ? I'm curious about this one: $nat tcp $fata out via $ext setup keep-state $nat all $fata out via $ext keep-state $allow all $fata out via $ext For an outbound packet, rules should be keep-state, divert, allow, in this order, as far as I know. What about these lines? Uhm, ed0 is my network card doing PPPoE. How do I allow it to do PPPoE traffic only? Did I miss anything? Some other IPFW questions: deny ip == deny all? Why do I have to write from any to any all the time, when it just means independently of source and destination? Why can't I write just drop all? Thank you very very much in advance :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]