Re: ipfw firewall help
At 09:36 10/21/2005, Daemon, wrote:
>Great!. Thanks. One possibly stupid question. What is the "Deny
>Spoof"? Is that like;
># Stop spoofing of your internal network range
># ${fwcmd} add deny ip from ${iif} to any in via ${oif}
># Stop spoofing from inside your private ip range
># ${fwcmd} add deny ip from not ${iif} to any in via ${iif}
Hey Daemon,
Your rules snippet looks great! I really like the way you
have commented the lines. When you have debugged your
firewall, would you please post the entire set here? That way,
newbies can understand better how the firewall works. I
haven't seen too many examples like this.
Thanks!
Start Here to Find It Fast! -> http://www.US-Webmasters.com/best-start-page/
$8.77 Domain Names -> http://domains.us-webmasters.com/
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw firewall help
Yup - that would work.
IPFW also has a built-in command that does the same:
$cmd deny ip from any to any not antispoof in
Daemon wrote:
Great!. Thanks. One possibly stupid question. What is the "Deny
Spoof"? Is that like;
# Stop spoofing of your internal network range
# ${fwcmd} add deny ip from ${iif} to any in via ${oif}
# Stop spoofing from inside your private ip range
# ${fwcmd} add deny ip from not ${iif} to any in via ${iif}
G Bryant wrote:
Hi,
I found my rules worked best in this order:
(You will need to correct the syntax - just typed up the order for you
quickly)
Deny spoofed
Allow localhost
Allow all from any to any via $iif
divert natd all from any to any in via $oif
#insert bandwidth shaping rules
skipto 5000 all from $iip to any out via $oif
#allow all from any to me in via $oif # if you want to receive traffic
from internet to this box. Your decision if you need it.
deny all from any to any out
allow all from any to $iip in via $oif
#allow all from me to any out via $oif # traffic from this box out to
the internet. Your decision if you need it.
deny all from any to any in
5000 nat all from any to any out via $oif
allow all from any to any out
This is a very "open" set of rules - your choice.
Hope this helps.
Regards, Graham
Daemon wrote:
I'm trying to build a firewall from scratch using man ipfw and what I
can find on the net. I'm doing bandwidth shaping and I'm not quite sure
where it goes as far as rule numbers. From what I can see, it matters
and I'd like to do it right. I'm using an OPEN firewall with NATD
because I'm on cable broadband with a static IP. Here is what I have.
00010 52 2446 pipe 1 ip from 172.16.140.0/24 to any xmit re0
000200 0 pipe 2 ip from any to 172.16.140.0/24 recv re0
00050 274 24955 divert 8668 ip from any to any via re0
00100 50 5642 allow ip from any to any via lo0
002000 0 deny ip from any to 127.0.0.0/8
003000 0 deny ip from 127.0.0.0/8 to any
65535 4658 547779 allow ip from any to any
The actual rule set for the bandwidth shaping is:
# Traffic Shaping.
# oif="re0"# ${oif} Public Interface.
# iif="re1"# ${iif} Internal nic.
# iip="172.16.140.0/24"# ${iip}
${fwcmd} add 10 pipe 1 all from ${iip} to any xmit ${oif}
${fwcmd} pipe 1 config mask src-ip 0xff00 bw 35Kbits/s queue 40Kbytes
${fwcmd} add 20 pipe 2 all from any to ${iip} recv ${oif}
${fwcmd} pipe 2 config mask dst-ip 0xff00 bw 4000Kbits/s queue
40Kbytes
I've found lots of stuff on "how" to set it up but I can't seem to find
anything on where the rules go. Any help would be greatly appreciated.
Regards,
Mark
___
[EMAIL PROTECTED] mailing list
[2]http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [3]"[EMAIL PROTECTED]"
___
[EMAIL PROTECTED] mailing list
[5]http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [6]"[EMAIL PROTECTED]"
___
[EMAIL PROTECTED] mailing list
[8]http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [9]"[EMAIL PROTECTED]"
References
1. mailto:freebsd-ipfw@freebsd.org
2. http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
3. mailto:[EMAIL PROTECTED]
4. mailto:freebsd-ipfw@freebsd.org
5. http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
6. mailto:[EMAIL PROTECTED]
7. mailto:freebsd-ipfw@freebsd.org
8. http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
9. mailto:[EMAIL PROTECTED]
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw firewall help
W. D. wrote:
> At 09:36 10/21/2005, Daemon, wrote:
>
>>Great!. Thanks. One possibly stupid question. What is the "Deny
>>Spoof"? Is that like;
>># Stop spoofing of your internal network range
>># ${fwcmd} add deny ip from ${iif} to any in via ${oif}
>># Stop spoofing from inside your private ip range
>># ${fwcmd} add deny ip from not ${iif} to any in via ${iif}
>
>
>
> Hey Daemon,
>
> Your rules snippet looks great! I really like the way you
> have commented the lines. When you have debugged your
> firewall, would you please post the entire set here? That way,
> newbies can understand better how the firewall works. I
> haven't seen too many examples like this.
>
> Thanks!
>
> Start Here to Find It Fast!™ -> http://www.US-Webmasters.com/best-start-page/
> $8.77 Domain Names -> http://domains.us-webmasters.com/
>
>
Sorry, I had to go out of town on Friday and just got back. This is
what I have so far, however I can't seem to figure out the correct
syntax for my rule #2 for the rule Graham posted before.
His rule was;
5000 nat all from any to any out via $oif
Once I figure out the correct syntax, I'll be able to incorporate the
rule set that Graham provided with some modifications. Right now it
doesn't work correctly. Other than rule #2, if there are any other
rules that aren't correct or can be more streamlined, I'd welcome and
appreciate any input/advice. By the way, thanks again Graham for the help.
nip="24.172.X.XX/30"# ${nip}
oip="24.172.X.XX" # ${oip} Static IP
oif="re0" # ${oif} Public interface name of nic
# card facing the public Internet
iif="re1" # ${iif} Internal nic.
iip="172.16.140.0/24" # ${iip} Internal Subnet.
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
# Flush out the list before we begin.
#
${fwcmd} -f flush
# Setup Lookback (not sure if these are in the
# correct place).
${fwcmd} add 10 pass all from any to any via lo0
${fwcmd} add 20 deny all from any to 127.0.0.0/8
${fwcmd} add 30 deny all from 127.0.0.0/8 to any
#-
# Stop spoofing of your internal network range and
# spoofing from inside your private ip range.
${fwcmd} add 40 deny ip from any to any not antispoof in
#-
# Natd rules. See Rule 300
${fwcmd} add 50 allow all from any to any via ${iif}
${fwcmd} add 60 divert natd all from any to any in via ${oif}
#-
# Traffic Shaping for the internal network.
${fwcmd} add 70 pipe 1 all from ${iip} to any xmit ${oif}
${fwcmd} pipe 1 config mask src-ip 0xff00 bw 35Kbits/s queue 40Kbytes
${fwcmd} add 80 pipe 2 all from any to ${iip} recv ${oif}
${fwcmd} pipe 2 config mask dst-ip 0xff00 bw 4000Kbits/s queue 40Kbytes
${fwcmd} add 90 allow all from any to me in via ${oif}
#-
# Allow interal network in/out via the outside nic.
${fwcmd} add 100 allow all from any to ${iip} in via ${oif}
${fwcmd} add 200 allow all from me to any out via ${oif}
#-
# See Rule 2
${fwcmd} add 300 skipto 2 all from ${iip} to any out via ${oif}
#-
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
${fwcmd} add 400 deny { tcp or udp } from any to any 137,138,139,445,1080
${fwcmd} add 500 deny { tcp or udp } from any to any
1243,6776,8998,12345,31337
${fwcmd} add 600 deny icmp from any to me in icmptype 5,9,13,14,15,16,17
${fwcmd} add 700 deny icmp from any to any iplen 92
#-
# Block malicious connects to ssh, ftp, mail(pop/smtp/imap), and identd.
${fwcmd} add 800 deny all from "table(2,0)" to me 20-25,110,113,143
${fwcmd} add 900 deny all from "table(3,0)" to me 20-25,110,113,143
# Block malicious conects to web server ports.
${fwcmd} add 1000 deny all from "table(4,0)" to me 80,443
#-
# Deny any late arriving packets
${fwcmd} add 2000 deny all from any to any frag in via ${oif}
#-
# 5000 nat all from any to any out via $oif
# ^^^ Rule provided by Graham.
${fwcmd} add 2 divert natd ip from any to any out via $oif
${fwcmd} add 65000 allow all from any to any out
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAI
Re: kern/48172: [ipfw] [patch] ipfw does not log size and flags
Old Synopsis: ipfw does not log size and flags New Synopsis: [ipfw] [patch] ipfw does not log size and flags Responsible-Changed-From-To: ipfw->freebsd-ipfw Responsible-Changed-By: gnats Responsible-Changed-When: Mon Oct 24 04:38:05 GMT 2005 Responsible-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=48172 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it
Old Synopsis: [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it New Synopsis: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Mon Oct 24 05:10:01 GMT 2005 Responsible-Changed-Why: Over to mailing list for review. http://www.freebsd.org/cgi/query-pr.cgi?pr=78762 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: bin/78785: [ipfw] [patch] ipfw verbosity locks machine if /etc/rc.firewall is run remotely
Synopsis: [ipfw] [patch] ipfw verbosity locks machine if /etc/rc.firewall is run remotely Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Mon Oct 24 05:11:22 GMT 2005 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=78785 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: kern/86957: [ipfw] [patch] ipfw mac logging
Synopsis: [ipfw] [patch] ipfw mac logging Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Mon Oct 24 05:12:25 GMT 2005 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=86957 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
