Please check my IPFW ruleset

2007-11-01 Thread deeptech71

[resending, doesn't seem to have gotten through]

I'm making some ipfw rules, and I would appreciate if someone could 
check these for me.


My intention is to create a replacement for a hardware router, which 
basically works by allowing all outbound traffic, blocking all 
unauthorized/unrequested inbound traffic, and has a setting (the so 
called DMZ) to redirect all the unauthorized/unrequested packets to a 
local computer. Plus I want to add something like remote telnet/ssh 
capabilities to override the DMZ.


| ipfw.rules |
#!/bin/sh

dns=195.228.240.249,195.228.242.180
lan=192.168.123.0/24
ext=tun0
int=rl0

ipfw=ipfw -q
add=$ipfw add
allow=$add allow
block=$add deny
nat=$add divert natd
check=$add check-state
pipe=$add pipe

fa=from any
ta=to any
fata=$fa $ta
reserved=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3



$ipfw -f flush

$allow all $fata via lo0
$allow all $fata via $int

# INBOUND #

$block all $fa to $reserved in via $ext # ISP fuckup?

$nat all $fata in via $ext
$check

$block all $fata frag in via $ext
$block tcp $fata established in via $ext
$block all from $reserved in via $ext

# :: DEFINE SOME INBOUND SERVICES HERE ::
#$allow tcp $fa to me 80 in via $ext setup limit src-addr 4
#$allow tcp $fa to me 22 in via $ext setup limit src-addr 4
#$allow tcp $fa to me 23 in via $ext setup limit src-addr 4

$block all $fata in via $ext

# OUTBOUND #

# :: DEFINE SOME RESTRICTIONS HERE ? ::

$nat tcp $fata out via $ext setup keep-state
$nat all $fata out via $ext keep-state
$allow all $fata out via $ext

$block $fata

| eof ipfw.rules |

OK, questions...

# ISP fuckup? - does it make sense to defend against my ISP hacking me?

What does divert natd actually do? Does it only change the IP header?

Can I move the three lines
$block all $fata frag in via $ext
$block tcp $fata established in via $ext
$block all from $reserved in via $ext
to ahead of
$nat all $fata in via $ext ?

I'm curious about this one:
$nat tcp $fata out via $ext setup keep-state
$nat all $fata out via $ext keep-state
$allow all $fata out via $ext
For an outbound packet, rules should be keep-state, divert, allow, in 
this order, as far as I know. What about these lines?


Uhm, ed0 is my network card doing PPPoE. How do I allow it to do PPPoE 
traffic only?


Did I miss anything?


Some other IPFW questions:
deny ip == deny all?
Why do I have to write from any to any all the time, when it just 
means independently of source and destination? Why can't I write just 
drop all?



Thank you very very much in advance :)

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Please check my IPFW ruleset

2007-11-01 Thread deeptech71
I'm making some ipfw rules, and I would appreciate if someone could 
check these for me.


My intention is to create a replacement for a hardware router, which 
basically works by allowing all outbound traffic, blocking all 
unauthorized/unrequested inbound traffic, and has a setting (the so 
called DMZ) to redirect all the unauthorized/unrequested packets to a 
local computer. Plus I want to add something like remote telnet/ssh 
capabilities to override the DMZ.


| ipfw.rules |
#!/bin/sh

dns=195.228.240.249,195.228.242.180
lan=192.168.123.0/24
ext=tun0
int=rl0

ipfw=ipfw -q
add=$ipfw add
allow=$add allow
block=$add deny
nat=$add divert natd
check=$add check-state
pipe=$add pipe

fa=from any
ta=to any
fata=$fa $ta
reserved=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3



$ipfw -f flush

$allow all $fata via lo0
$allow all $fata via $int

# INBOUND #

$block all $fa to $reserved in via $ext # ISP fuckup?

$nat all $fata in via $ext
$check

$block all $fata frag in via $ext
$block tcp $fata established in via $ext
$block all from $reserved in via $ext

# :: DEFINE SOME INBOUND SERVICES HERE ::
#$allow tcp $fa to me 80 in via $ext setup limit src-addr 4
#$allow tcp $fa to me 22 in via $ext setup limit src-addr 4
#$allow tcp $fa to me 23 in via $ext setup limit src-addr 4

$block all $fata in via $ext

# OUTBOUND #

# :: DEFINE SOME RESTRICTIONS HERE ? ::

$nat tcp $fata out via $ext setup keep-state
$nat all $fata out via $ext keep-state
$allow all $fata out via $ext

$block $fata

| eof ipfw.rules |

OK, questions...

# ISP fuckup? - does it make sense to defend against my ISP hacking me?

What does divert natd actually do? Does it only change the IP header?

Can I move the three lines
$block all $fata frag in via $ext
$block tcp $fata established in via $ext
$block all from $reserved in via $ext
to ahead of
$nat all $fata in via $ext ?

I'm curious about this one:
$nat tcp $fata out via $ext setup keep-state
$nat all $fata out via $ext keep-state
$allow all $fata out via $ext
For an outbound packet, rules should be keep-state, divert, allow, in 
this order, as far as I know. What about these lines?


Uhm, ed0 is my network card doing PPPoE. How do I allow it to do PPPoE 
traffic only?


Did I miss anything?


Some other IPFW questions:
deny ip == deny all?
Why do I have to write from any to any all the time, when it just 
means independently of source and destination? Why can't I write just 
drop all?



Thank you very very much in advance :)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]