Thank you. Please do send the sample ipfilter rules. I am
very keen on getting all my services working properly with
a solid firewall, and if IPFILTER is the only way then so
be it.
What changes to the kernel will IPFILTER require? At the
moment i have the following kernel options for IPFW and
nat:
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
To give you an idea about my requirements, my complete IPFW
ruleset is attached. It is, ironically, based on an article
by Marty Schlacter titled How to Build a FreeBSD-STABLE
Firewall with IPFILTER
(http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html)
Many thanks for your response,
Gareth
On Tue, 11 May 2004 12:00:52 -0400
JJB [EMAIL PROTECTED] wrote:
You have fallen into an IPFW bug.
IPFW with an nated lan does not work with keep state
rules.
Your other Lan functions to public internet should not be
working
either.
Their must be other ipfw rules which are allowing the
other lan
function to get through.
IPFW is not the correct solution.
You really need to use ipfilter the other builtin
firewall that is
delivered with the FBSD install.
Ipfilter uses an stand-a-lone ipnat function instead of
an
subroutine call launched by an rule.
It has keep-state rules also for the max in protection.
I have sample ipfilter rules file I can send you if you
are
interested.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Gareth
Bailey
Sent: Tuesday, May 11, 2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: FTP problem with IPFW
I have recently setup IPFW on my FreeBSD 5.2 Release
server. I am running natd to provide inet to 5 LAN users.
It also runs mail, apache web server amongst others.
All seems to be working fine, except for FTP.
The first two lines of my firewall file are:
add 1000 allow tcp from any to any via ed0 out keep-state
add 1100 allow udp from any to any via ed0 out keep-state
... then later in the file:
add 3600 allow tcp from any to me dst-port 21 in via ed0
setup keep-state
I thought this would be sufficient to establish and
maintain FTP connections. I read through the mailing
lists
and it seems that FTP is tricky with IPFW and natd.
Is there a simple solution to this problem? Can i just
add
some other rule to my firewall? I read something about
natd
punching through IPFW, is this the answer?
Any information will be mouch appreciated.
Thanks,
Gareth (IPFW newbie)
_
For super low premiums ,click here http://www.dialdirect.co.za/quote
add 00050 divert 8668 ip from any to any via ed0
# Outside Interface
#---
# Allow out all TCP, UDP, and ICMP traffic keep state on it
# so that it's allowed back in
#---
add 1000 allow tcp from any to any via ed0 out keep-state
add 1100 allow udp from any to any via ed0 out keep-state
add 1200 allow icmp from any to any via ed0 out keep-state
add 1300 deny IP from any to any via ed0 out
#---
# Block all inbound traffic from non-routable or reserved address (paranoid)
# spaces
#---
add 2000 deny IP from 192.168.0.0/16 to any via ed0 in #RFC 1918 private IP
add 2100 deny IP from 172.16.0.0/12 to any via ed0 in #RFC 1918 private IP
add 2200 deny IP from 10.0.0.0/8 to any via ed0 in #RFC 1918 private IP
add 2300 deny IP from 127.0.0.0/8 to any via ed0 in #loopback
add 2400 deny IP from 0.0.0.0/8 to any via ed0 in #loopback
add 2500 deny IP from 169.254.0.0/16 to any via ed0 in #DHCP auto-config
add 2600 deny IP from 192.0.2.0/24 to any via ed0 in#reserved for doc's
add 2700 deny IP from 204.152.64.0/23 to any via ed0 in #Sun cluster interconnect
add 2800 deny IP from 224.0.0.0/3 to any via ed0 in #Class D E multicast
#---
# Allow external access to services
#---
add 3000 allow tcp from any to me dst-port 80 in via ed0 setup keep-state #HTTP
add 3100 allow tcp from any to me dst-port 22 in via ed0 setup keep-state #SSH
add 3200 allow tcp from any to me dst-port 143 in via ed0 setup keep-state
#Webmail
add 3300 allow tcp from any to me dst-port 993 in via ed0 setup keep-state
#Courier IMAP - POP
add 3400 allow tcp from
