Thank you. Please do send the sample ipfilter rules. I am very keen on getting all my services working properly with a solid firewall, and if IPFILTER is the only way then so be it.
What changes to the kernel will IPFILTER require? At the moment i have the following kernel options for IPFW and nat: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE To give you an idea about my requirements, my complete IPFW ruleset is attached. It is, ironically, based on an article by Marty Schlacter titled "How to Build a FreeBSD-STABLE Firewall with IPFILTER" (http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html) Many thanks for your response, Gareth On Tue, 11 May 2004 12:00:52 -0400 "JJB" <[EMAIL PROTECTED]> wrote: > You have fallen into an IPFW bug. > IPFW with an nated lan does not work with keep state > rules. > > Your other Lan functions to public internet should not be > working > either. > > Their must be other ipfw rules which are allowing the > other lan > function to get through. > > IPFW is not the correct solution. > You really need to use ipfilter the other builtin > firewall that is > delivered with the FBSD install. > Ipfilter uses an stand-a-lone ipnat function instead of > an > subroutine call launched by an rule. > It has keep-state rules also for the max in protection. > I have sample ipfilter rules file I can send you if you > are > interested. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > Gareth > Bailey > Sent: Tuesday, May 11, 2004 11:13 AM > To: [EMAIL PROTECTED] > Subject: FTP problem with IPFW > > I have recently setup IPFW on my FreeBSD 5.2 Release > server. I am running natd to provide inet to 5 LAN users. > It also runs mail, apache web server amongst others. > > All seems to be working fine, except for FTP. > > The first two lines of my firewall file are: > > add 1000 allow tcp from any to any via ed0 out keep-state > add 1100 allow udp from any to any via ed0 out keep-state > > ... then later in the file: > > add 3600 allow tcp from any to me dst-port 21 in via ed0 > setup keep-state > > I thought this would be sufficient to establish and > maintain FTP connections. I read through the mailing > lists > and it seems that FTP is tricky with IPFW and natd. > > Is there a simple solution to this problem? Can i just > add > some other rule to my firewall? I read something about > natd > punching through IPFW, is this the answer? > > Any information will be mouch appreciated. > > Thanks, > Gareth (IPFW newbie) _____________________________________________________________________ For super low premiums ,click here http://www.dialdirect.co.za/quote
add 00050 divert 8668 ip from any to any via ed0 ################################################################################################ # Outside Interface ################################################################################################ #----------------------------------------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state on it # so that it's allowed back in #----------------------------------------------------------------------------------------------- add 1000 allow tcp from any to any via ed0 out keep-state add 1100 allow udp from any to any via ed0 out keep-state add 1200 allow icmp from any to any via ed0 out keep-state add 1300 deny IP from any to any via ed0 out #----------------------------------------------------------------------------------------------- # Block all inbound traffic from non-routable or reserved address (paranoid) # spaces #----------------------------------------------------------------------------------------------- add 2000 deny IP from 192.168.0.0/16 to any via ed0 in #RFC 1918 private IP add 2100 deny IP from 172.16.0.0/12 to any via ed0 in #RFC 1918 private IP add 2200 deny IP from 10.0.0.0/8 to any via ed0 in #RFC 1918 private IP add 2300 deny IP from 127.0.0.0/8 to any via ed0 in #loopback add 2400 deny IP from 0.0.0.0/8 to any via ed0 in #loopback add 2500 deny IP from 169.254.0.0/16 to any via ed0 in #DHCP auto-config add 2600 deny IP from 192.0.2.0/24 to any via ed0 in #reserved for doc's add 2700 deny IP from 204.152.64.0/23 to any via ed0 in #Sun cluster interconnect add 2800 deny IP from 224.0.0.0/3 to any via ed0 in #Class D & E multicast #----------------------------------------------------------------------------------------------- # Allow external access to services #----------------------------------------------------------------------------------------------- add 3000 allow tcp from any to me dst-port 80 in via ed0 setup keep-state #HTTP add 3100 allow tcp from any to me dst-port 22 in via ed0 setup keep-state #SSH add 3200 allow tcp from any to me dst-port 143 in via ed0 setup keep-state #Webmail add 3300 allow tcp from any to me dst-port 993 in via ed0 setup keep-state #Courier IMAP - POP add 3400 allow tcp from any to me dst-port 995 in via ed0 setup keep-state #Courier IMAP - IMAP add 3500 allow tcp from any to me dst-port 25 in via ed0 setup #Postfix - SMTP add 3600 allow tcp from any to me dst-port 3306 in via ed0 setup keep-state #MYSQL #----------------------------------------------------------------------------------------------- # Allow established connections #----------------------------------------------------------------------------------------------- # add 4000 allow tcp from any to me established # add 4100 allow udp from any to me established #----------------------------------------------------------------------------------------------- # Block all remaining incoming #----------------------------------------------------------------------------------------------- add 5000 unreach host-unknown tcp from any to any via ed0 in add 5100 unreach host-unknown udp from any to any via ed0 in add 5200 deny IP from any to any via ed0 in ################################################################################################ # Inside Interface ################################################################################################ #----------------------------------------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #----------------------------------------------------------------------------------------------- add 6000 allow tcp from any to any out via dc0 keep-state add 6100 allow udp from any to any out via dc0 keep-state add 6200 allow icmp from any to any out via dc0 keep-state add 6300 deny IP from any to any out via dc0 #----------------------------------------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic & keep state #----------------------------------------------------------------------------------------------- add 7000 allow tcp from any to any in via dc0 keep-state add 7100 allow udp from any to any in via dc0 keep-state add 7200 allow icmp from any to any in via dc0 keep-state add 7300 deny IP from any to any in via dc0 ################################################################################################ # Loopback Interface ################################################################################################ #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- add 8000 allow ip from any to any via lo0
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
