Re: firewall revisited
--- Giorgos Keramidas <[EMAIL PROTECTED]>
wrote:
> On 2003-03-05 09:32, Brian Henning
> <[EMAIL PROTECTED]> wrote:
> > Hello-
> > currently my rc.conf is set up like this for my
> gateway router.
> > gateway_enable="YES"
> > firewall_enable="YES"
> > firewall_type="OPEN"
> > natd_enable="YES"
> > natd_interface="rl1" # natd -interface rl1,
> public interface
> > natd_flags=""# sysctl
> net.inet.ip.forwarding=1
> >
> > how can i have the script /etc/ipfw.rules run
> instead of
> > /etc/rc.firewall. can i change
> > firewall_type="OPEN" to firewall_type="" and
> create the entry
> > firewall_script="/etc/ipfw.rules"?
>
> Why are you confused?
>
> That depends on what you're trying to do and what
> the contents of
> /etc/ipfw.rules are. There are currently the
> following ways to set up
> a completely custom set of firewall rules:
>
> 1. Rewrite /etc/rc.firewall
>
>This can easily be done, if you replace
> /etc/rc.firewall with your
>custom script. This isn't recommended though
> since you'd have to
>carefully track all changes to the official
> version of the
>rc.firewall script and merge any interesting
> stuff back to your
>version of the script.
>
> 2. Add a new firewall "type" to rc.firewall
>
>Copying one of the existing firewall types you
> cann easily add a
>new one, and make sure that it loads all (and
> only) the ipfw(8)
>rules that you want. This can be difficult to
> keep up to date
>after changes to the rc.firewall script, but not
> as difficult to
>keep up to date as option #1.
>
> 3. Write your own version of a firewall script
>
>Copy `rc.firewall' to a new script (i.e.,
> `rc.firewall.local') and
>make your changes to the new script. Then set
> firewall_script to
>point to the new script in `/etc/rc.conf'. For
> example:
>
> % cat /etc/rc.firewall.local
> fwcmd="/sbin/ipfw"
> ${fwcmd} -q flush
> ${fwcmd} add 1 pass ip from any to any
>
> % grep firewall_script /etc/rc.conf
> firewall_script="/etc/rc.firewall.local"
>
>This is a fairly nic way of doing things, but it
> doesn't work
>correctly if you want to tweak the way ipfw(8) is
> called by
>settings things like firewall_quiet="YES" in your
> `rc.conf' file.
>Mostly because the logic for all those
> firewall_xxx options is
>implemented as part of the existing `rc.firewall'
> script.
>
> 4. Create a ruleset file, and point rc.firewall to
> it
>
>You can always write your own set of firewall
> rules, without a
>${fwcmd} prefix, and save it to a file, i.e.
> `/etc/ipfw.rules'.
>This is a plain text file that contains *only*
> firewall rules.
>No shell commands. You can use `#' for comments
> (as shown in the
>sample file below):
>
> % cat /etc/ipfw.rules
> flush
> add allow ip from any to any
>
>Then you just need to make sure that your
> `rc.conf' contains the
>following two lines:
>
> firewall_enable="YES"
> firewall_type="/etc/ipfw.rules"
>
>The firewall_type value is the *FULL* path to the
> ruleset file. It
>is important to include the leading `/'
> character. This way,
>ipfw(8) will know that this is the path of a rule
> file and not the
>name of a command (like `add' in `ipfw add ...').
>
>This is the way I usually prefer setting ipfw(8)
> up. For various
>reasons. One of them is that my firewall rules
> are not lost in
>between the lines of some shell script that I
> don't remember I have
>edited. Another reason is that having made no
> changes to the
>original `rc.firewall' script, there is no need
> to take care for
>merging changes later with mergemaster(8).
>
> Phew. This was long.
>
GREAT Explanation. The difference in using
firewall_script and firewall_type ought to be outlined
in the Handbook.
__
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
Re: firewall revisited
On 2003-03-05 09:32, Brian Henning <[EMAIL PROTECTED]> wrote:
> Hello-
> currently my rc.conf is set up like this for my gateway router.
> gateway_enable="YES"
> firewall_enable="YES"
> firewall_type="OPEN"
> natd_enable="YES"
> natd_interface="rl1" # natd -interface rl1, public interface
> natd_flags=""# sysctl net.inet.ip.forwarding=1
>
> how can i have the script /etc/ipfw.rules run instead of
> /etc/rc.firewall. can i change
> firewall_type="OPEN" to firewall_type="" and create the entry
> firewall_script="/etc/ipfw.rules"?
Why are you confused?
That depends on what you're trying to do and what the contents of
/etc/ipfw.rules are. There are currently the following ways to set up
a completely custom set of firewall rules:
1. Rewrite /etc/rc.firewall
This can easily be done, if you replace /etc/rc.firewall with your
custom script. This isn't recommended though since you'd have to
carefully track all changes to the official version of the
rc.firewall script and merge any interesting stuff back to your
version of the script.
2. Add a new firewall "type" to rc.firewall
Copying one of the existing firewall types you cann easily add a
new one, and make sure that it loads all (and only) the ipfw(8)
rules that you want. This can be difficult to keep up to date
after changes to the rc.firewall script, but not as difficult to
keep up to date as option #1.
3. Write your own version of a firewall script
Copy `rc.firewall' to a new script (i.e., `rc.firewall.local') and
make your changes to the new script. Then set firewall_script to
point to the new script in `/etc/rc.conf'. For example:
% cat /etc/rc.firewall.local
fwcmd="/sbin/ipfw"
${fwcmd} -q flush
${fwcmd} add 1 pass ip from any to any
% grep firewall_script /etc/rc.conf
firewall_script="/etc/rc.firewall.local"
This is a fairly nic way of doing things, but it doesn't work
correctly if you want to tweak the way ipfw(8) is called by
settings things like firewall_quiet="YES" in your `rc.conf' file.
Mostly because the logic for all those firewall_xxx options is
implemented as part of the existing `rc.firewall' script.
4. Create a ruleset file, and point rc.firewall to it
You can always write your own set of firewall rules, without a
${fwcmd} prefix, and save it to a file, i.e. `/etc/ipfw.rules'.
This is a plain text file that contains *only* firewall rules.
No shell commands. You can use `#' for comments (as shown in the
sample file below):
% cat /etc/ipfw.rules
flush
add allow ip from any to any
Then you just need to make sure that your `rc.conf' contains the
following two lines:
firewall_enable="YES"
firewall_type="/etc/ipfw.rules"
The firewall_type value is the *FULL* path to the ruleset file. It
is important to include the leading `/' character. This way,
ipfw(8) will know that this is the path of a rule file and not the
name of a command (like `add' in `ipfw add ...').
This is the way I usually prefer setting ipfw(8) up. For various
reasons. One of them is that my firewall rules are not lost in
between the lines of some shell script that I don't remember I have
edited. Another reason is that having made no changes to the
original `rc.firewall' script, there is no need to take care for
merging changes later with mergemaster(8).
Phew. This was long.
- Giorgos
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
Re: firewall revisited
On Wednesday 05 March 2003 02:48 pm, Brian Henning wrote: > Jeff, > > you must have your firewall_type set to the default then in rc.conf or > /etc/defaults/rc.conf. does you setup not run the standard rc.firewall file > in /etc? > > does this rule allow any access to the outside network? > ipfw add 00100 allow tcp from any to any via ed0 established > > thanks, > > brian I don't set firewall_type in rc.conf (ie. leaving it at the default), because it would be ignored. When you change firewall_script in /etc/rc.conf, /etc/rc.firewall will no longer run at boot automatically. The ipfw rule above allows all packets for established connections to pass the firewall. This is determined only by the flags in each inbound packet, not because of any memory of the state of connections. You would also need rules dealing with the setup packets to allow the TCP connections to be created. It's in the ipfw man page and probably the FreeBSD Handbook also with better examples, but a quick additional rule to allow you to get out on ed0 with any possible TCP connection would be: ipfw add 00200 allow tcp from any to any out xmit ed0 setup Jeff To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: firewall revisited
> > how can i have the script /etc/ipfw.rules run instead of /etc/rc.firewall. > > can i change > > firewall_type="OPEN" to firewall_type="" and create the entry > > firewall_script="/etc/ipfw.rules"? > > I have that working right now with: > > firewall_enable="YES" > firewall_script="/etc/rc.firewall.local" > > ... where /etc/rc.firewall.local contains the customized ipfw commands. > > > what i would like to do is block all access to services on the router like > > httpd, sshd, etc > > the other think i would like to do is port forward ssh from another machine > > and allow access of that from an external network. > > does something like this make sense? > > thanks, > > If you are using NAT then the -redirect_port option to natd will do that (ie. > forward incoming port 22 connections to an internal machine), which can be > set in /etc/rc.conf in the natd_flags="-redirect_port ..." variable. You > have to create a corresponding ipfw rule to allow the traffic after natd > rewrites the destination IP to your internal LAN machine, which it looks like > you have done below, except the "from" would be "any" not "ROUTER_IP". It > will be the IP of the outside machine trying to connect to port 22. > > I have a similar port forward set up. Early in the firewall rules allow all > established TCP connections, and then later allow the setup for the initial > SSH connection. 10.0.1.2 would be a machine behind the firewall to receive > SSH connections, and ed0 would be the external internet interface. > > in /etc/rc.conf: > natd_flags="-redirect_port tcp 10.0.1.2:ssh ssh" > > in the firewall script: > ipfw -q flush > ipfw add 00050 divert natd ip from any to any via ed0 > ipfw add 00100 allow tcp from any to any via ed0 established > > ipfw add 01000 allow tcp from any to 10.0.1.2 ssh setup > > ipfw add 65530 deny log ip from any to any > > I winged this so forgive any errors, but it's based on what I have working, > including a rule to deny and log everything by default at the bottom. > [snip] Jeff, you must have your firewall_type set to the default then in rc.conf or /etc/defaults/rc.conf. does you setup not run the standard rc.firewall file in /etc? does this rule allow any access to the outside network? ipfw add 00100 allow tcp from any to any via ed0 established thanks, brian To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: firewall revisited
> how can i have the script /etc/ipfw.rules run instead of /etc/rc.firewall.
> can i change
> firewall_type="OPEN" to firewall_type="" and create the entry
> firewall_script="/etc/ipfw.rules"?
I have that working right now with:
firewall_enable="YES"
firewall_script="/etc/rc.firewall.local"
... where /etc/rc.firewall.local contains the customized ipfw commands.
> what i would like to do is block all access to services on the router like
> httpd, sshd, etc
> the other think i would like to do is port forward ssh from another machine
> and allow access of that from an external network.
> does something like this make sense?
> thanks,
If you are using NAT then the -redirect_port option to natd will do that (ie.
forward incoming port 22 connections to an internal machine), which can be
set in /etc/rc.conf in the natd_flags="-redirect_port ..." variable. You
have to create a corresponding ipfw rule to allow the traffic after natd
rewrites the destination IP to your internal LAN machine, which it looks like
you have done below, except the "from" would be "any" not "ROUTER_IP". It
will be the IP of the outside machine trying to connect to port 22.
I have a similar port forward set up. Early in the firewall rules allow all
established TCP connections, and then later allow the setup for the initial
SSH connection. 10.0.1.2 would be a machine behind the firewall to receive
SSH connections, and ed0 would be the external internet interface.
in /etc/rc.conf:
natd_flags="-redirect_port tcp 10.0.1.2:ssh ssh"
in the firewall script:
ipfw -q flush
ipfw add 00050 divert natd ip from any to any via ed0
ipfw add 00100 allow tcp from any to any via ed0 established
ipfw add 01000 allow tcp from any to 10.0.1.2 ssh setup
ipfw add 65530 deny log ip from any to any
I winged this so forgive any errors, but it's based on what I have working,
including a rule to deny and log everything by default at the bottom.
> /etc/rc.firewall.rules
> --
> #!/bin/sh
> IPFW=/sbin/ipfw
> ${IPFW} -f flush
> ${IPFW} add 00200 divert natd all from any to any via rl1
> ${IPFW} add 00250 pass tcp from ${ROUTER_IP} to ${MACHINE1_IP} 22
> ${IPFW} add 00260 pass tcp from ${MACHINE1_IP} 22 to ${ROUTER_IP}
> ${IPFW} add 00300 pass all from any to any
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
firewall revisited
Hello-
currently my rc.conf is set up like this for my gateway router.
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="rl1" # natd -interface rl1, public interface
natd_flags=""# sysctl net.inet.ip.forwarding=1
how can i have the script /etc/ipfw.rules run instead of /etc/rc.firewall. can i
change
firewall_type="OPEN" to firewall_type="" and create the entry
firewall_script="/etc/ipfw.rules"?
what i would like to do is block all access to services on the router like
httpd, sshd, etc
the other think i would like to do is port forward ssh from another machine and
allow access of that from an external network.
does something like this make sense?
thanks,
brian
/etc/rc.firewall.rules
--
#!/bin/sh
IPFW=/sbin/ipfw
${IPFW} -f flush
${IPFW} add 00200 divert natd all from any to any via rl1
${IPFW} add 00250 pass tcp from ${ROUTER_IP} to ${MACHINE1_IP} 22
${IPFW} add 00260 pass tcp from ${MACHINE1_IP} 22 to ${ROUTER_IP}
${IPFW} add 00300 pass all from any to any
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
