Thanks Alex,
Below are my rules. I have removed the IP addresses and
replaced with x.x.x.x in most cases. Also some ports have been
turned to y's instead of the actual port.
Some of these rules are probably not needed, but it works, or
at least it seems to be working.
In looking at the rules, 8 rules are not processed, I get 8
of the messages below, and 8 rules rely on the E_IPADDR to be
set ( The allowTcpConnectionOut shell function sets 3 rules ).
Since E_IPADDR is always used when referering to the
FULL_LAN which includes the interal interface, I'm just going
to switch to using 'me' instead.
Is it better to use 'me' or an ip address?
Joe
#! /bin/sh
# ipfw rules
#
######################################################################
# set up the ipf command
ipfw_cmd="/sbin/ipfw -q"
#
######################################################################
# globals
######################################################################
GREP=/usr/bin/grep
E_IPADDR=`/sbin/ifconfig dc0 | $GREP -v inet6|$GREP inet | awk
'{print $2}'`
I_IPADDR="x.x.x.0" # x.x.x has been removed for this email
DNS_LOOKUPS=`$GREP nameserver /etc/resolv.conf|awk '{print $2}'
`
INTERNET_IFACE=dc0
LAN_IFACE=xl0
FULL_LAN="{ $E_IPADDR or $I_IPADDR/24 }"
DNS_SERVER="x.x.x.x" # I've removed this for this email
######################################################################
#
######################################################################
# function for allowing tcp connections
# takes from to and interface
###########################
tcpAddAllow="$ipfw_cmd add allow tcp from "
setup="setup keep-state"
###########################
allowTcpEst() {
FROM=$1
TOWHO=$2
INTERFACE=$3
$tcpAddAllow $FROM to "$TOWHO" via $INTERFACE
established
$tcpAddAllow "$TOWHO" to $FROM via $INTERFACE
established
}
###########################
allowTcpConnectionOut() {
FROM=$1
TOWHO=$2
INTERFACE=$3
$tcpAddAllow $FROM to "$TOWHO" out xmit $INTERFACE
$setup
allowTcpEst "$FROM" "$TOWHO" "$INTERFACE"
}
###########################
allowTcpConnectionIn() {
FROM=$1
TOWHO=$2
INTERFACE=$3
$tcpAddAllow $FROM to "$TOWHO" in recv $INTERFACE $setup
allowTcpEst "$FROM" "$TOWHO" "$INTERFACE"
}
######################################################################
# flush all the rules
$ipfw_cmd -f flush
#
######################################################################
# allow from loop back
#$ipfw_cmd set enable 0
#$ipfw_cmd set enable 1
$ipfw_cmd add allow all from any to any via lo0
$ipfw_cmd add deny all from 127.0.0.1 to 127.0.0.1
$ipfw_cmd add deny all from any to 127.0.0.0/8
$ipfw_cmd add deny ip from 127.0.0.0/8 to any
#
######################################################################
# from the dsl modem / router , once again masked, they are
fixed IP's here
$ipfw_cmd add allow udp from x.x.x.x y to x.x.255.255 y via
$INTERNET_IFACE
#
######################################################################
# deny this shit worm and MS crap and SYN in
$ipfw_cmd add deny tcp from any to any in recv $INTERNET_IFACE
setup
$ipfw_cmd add deny ip from any to any 0-19,135-139,445,1214,1434
in recv $INTERNET_IFACE
#
######################################################################
# need to divert all packets to get them where we want them
$ipfw_cmd add divert natd all from any to any via
$INTERNET_IFACE
#
$ipfw_cmd add check-state
#
######################################################################
# this is the dc0 interface
###########################
# tcp
###########################
allowTcpConnectionOut "$FULL_LAN" "any" "$INTERNET_IFACE"
#
# for passive ftp (port 20) x-fers eek! does MS need this?
#$ipfw_cmd add allow log tcp from any 20 to any in recv
$INTERNET_IFACE
#
###########################
# this is udp DNS and NTP
###########################
$ipfw_cmd add allow udp from $FULL_LAN to any 53 out xmit
$INTERNET_IFACE keep-state
#
# ntp
$ipfw_cmd add allow udp from $FULL_LAN to any 123 out xmit
$INTERNET_IFACE keep-state
#
# this is apple talk shit we dont want
$ipfw_cmd add deny udp from any to any 192
#
# this is our new netgear router port crap we dont want, as well
as MS
$ipfw_cmd add deny udp from any to any 137
#
# the rest of UDP that should not have anything in it
$ipfw_cmd add allow log udp from any to any out xmit
$INTERNET_IFACE keep-state
#
###########################
# this is icmp out
###########################
$ipfw_cmd add allow icmp from $FULL_LAN to any out xmit
$INTERNET_IFACE keep-state
#
###########################
# icmp from router to any
###########################
# this is masked for internat email
$ipfw_cmd add allow icmp from x.x.0.254 to $FULL_LAN icmptypes
3,4
#
###########################
# for big joe to access mindspring ?
# and yahoo and some other places that like to ping ??
###########################
$ipfw_cmd add allow log icmp from any to any in recv
$INTERNET_IFACE icmptypes 0,3,4
#
######################################################################
# WIRED LAN to web setup interface to dsl modem
###########################
# masked IP address
$ipfw_cmd add allow log tcp from $I_IPADDR/24 to x.x.0.254 80 in
recv $LAN_IFACE setup keep-state
#
######################################################################
# WIRED_LAN in on internal interface
#
allowTcpConnectionIn "$I_IPADDR/24" "any" "$LAN_IFACE"
#
# remaining lan ip
$ipfw_cmd add allow udp from $I_IPADDR/24 to any in recv
$LAN_IFACE keep-state
$ipfw_cmd add allow icmp from $I_IPADDR/24 to any in recv
$LAN_IFACE keep-state
$ipfw_cmd add allow log icmp from any to any via $LAN_IFACE
icmptypes 3,4
#
# ANYWHERE on the LAN to our internal server
$ipfw_cmd add allow log tcp from $FULL_LAN to any
20,21,123,443,8010 via $LAN_IFACE setup keep-state
#
# default rule is to deny
--- Alex Zbyslaw <[EMAIL PROTECTED]> wrote:
> Joe wrote:
>
> >I'm not sure why I get the hostname ``or'' unknown message
> >though.
> >
> >
> >
> If you still get it once you take away your ifconfig stuff
> then you'll
> know that it was responsible. You haven't posted the actual
> lines you
> use, so no-one is going to be able to figure out what might be
>
> happening. Where you currently have
>
> variable=`ifconfig interface | stuff`
>
> or whatever, put
>
> echo $variable
>
> after it and you will see if you got it right or not. From
> what you've
> said I think your stuff works fine when there is an ip address
> and
> produces some junk when there isn't and you then feed that
> junk to an
> ipfw rule which gives you the error.
>
> --Alex
>
>
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
