hi all i have my test machine set up as a gateway box, with ipfw/natd configured on it, set up to filter/redirect packets bound for a client on my internal network.
external ip of my internal client is aliased to the outside nic of the gateway box gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway's /etc/rc.conf looks like defaultrouter="129.x.x.1" hostname="hostname.com" ifconfig_xl0="inet 129.x.x.1 netmask 255.255.255.0" #aliasing internal client's ip to the outside nic of gateway box ifconfig_xl0_alias0="inet 129.x.1.20 netmask 255.0.0.0" #inside nic of gateway box ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0" gateway_enable="YES" firewall_enable="YES" #firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" natd_enable="YES" #natd interface is outside nic natd_interface="xl0" #natd flags redirect any traffic bound for ip of www3 to internal ip of www3 natd_flags="-redirect_address 10.0.0.2 129.x.x.20" kern_securelevel_enable="NO" ......... internal client's /etc/rc.conf looks like second machine's /etc/rc.conf: defaultrouter="10.0.0.1" ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0" ................ looks like this setup is working. the internal client is a basic webserver/ftp server. i am able to ftp to it, ssh to it, view webpages that it serves up, etc. with it hooked up to the internal nic of the gateway box. i am now trying to come up with a good set of firewall rules on the gateway box to filter out all unnecessary traffic to my internal network. the following is my /etc/ipfw.rules on the gateway box. -----------------------------snip------------------------------ # firewall_type="/etc/ipfw.rules" # enquirer ipfw.rules # NAT add 00100 divert 8668 ip from any to any via xl0 # loopback add 00210 allow ip from any to any via lo0 add 00220 deny ip from any to 127.0.0.0/8 add 00230 deny ip from 127.0.0.0/8 to any #allow tcp in for nfs shares #add 00301 allow tcp from 129.x.x.x to any in via xl0 #add 00302 allow tcp from 129.x.x.x to any in via xl0 #allow tcp in for ftp,ssh, smtp, httpd add 00303 allow tcp from any to any in 21,22,25,80,10000 via xl0 #deny rest of incoming tcp add 00309 deny log tcp from any to any in established #from man 8 ipfw: allow only outbound tcp connections i've created add 00310 allow tcp from any to any out via xl0 #allow udp in for gateway for DNS add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0 #allow udp in for nfs shares #add 00401 allow udp from 129.x.x.x to any in recv xl0 #add 00402 allow udp from 129.x.x.x to any in recv xl0 #allow all udp out from machine add 00404 allow udp from any to any out via xl0 #allow some icmp types (codes not supported) ##########allow path-mtu in both directions add 00500 allow icmp from any to any icmptypes 3 ##########allow source quench in and out add 00501 allow icmp from any to any icmptypes 4 ##########allow me to ping out and receive response back add 00502 allow icmp from any to any icmptypes 8 out add 00503 allow icmp from any to any icmptypes 0 in ##########allow me to run traceroute add 00504 allow icmp from any to any icmptypes 11 in add 00600 deny log ip from any to any #--- end ipfw.rules ---# -----------------------------snip------------------------------ any comments on how i could improve this set of ipfw rules to better secure my internal client would be appreciated. thanks again redmond
msg17284/pgp00000.pgp
Description: PGP signature
