IPFW Ruleset

sn1tch dot.sn1tch at gmail.com
Tue Feb 22 12:29:38 PST 2005 

I'm trying to setup a stateful ruleset for my bsd machine, I have natd
running and working, but for the life of me I cannot get to any
outside websites. I know DNS is getting blocked but it's by one of the
last rules denying everything else…and I cant seem to get the firewall
to let it pass on.. Here is what I have (which is right out of the
FreeBSD handbook):

 

// Begin 

case ${firewall_type} in 

[Nn][Ee][Tt]) 

# Outside interface network and netmask and ip

oif="fxp0"

onet="111.111.111.0"

omask="255.255.255.0"

oip="111.111.111.45"

 

# Inside interface network and netmask and ip

iif="fxp1"

inet="10.0.0.0"

imask="255.0.0.0"

iip="10.0.0.1"

 

# DNS servers

dns1="111.111.111.115"

 

skip="skipto 800"

 

cmd="ipfw -q add"

 

setup_loopback

 

#################################################################

# No restrictions on Inside Lan Interface for private network

# Change xl0 to your Lan Nic card interface name

#################################################################

$cmd 005 allow all from any to any via $iif

 

#################################################################

# No restrictions on Loopback Interface

#################################################################

$cmd 010 allow all from any to any via lo0

 

#################################################################

# check if packet is inbound and nat address if it is

#################################################################

$cmd 014 divert natd ip from any to any in via $oif

 

#################################################################

# Allow the packet through if it has previous been added to the

# the "dynamic" rules table by a allow keep-state statement.

#################################################################

$cmd 015 check-state

 

#################################################################

# Interface facing Public Internet (Outbound Section)

# Interrogate session start requests originating from behind the

# firewall on the private network or from this gateway server

# destine for the public Internet.

#################################################################

# Allow out access to my ISP.s Domain name server.

# x.x.x.x must be the IP address of your ISP.s DNS

# Dup these lines if your ISP has more than one DNS server

# Get the IP addresses from /etc/resolv.conf file

$cmd 020 $skip tcp from any to $dns1 53 out via $oif setup keep-state

 

# Allow out access to my ISP.s DHCP server for cable/DSL configurations.

$cmd 030 $skip udp from any to 111.111.111.116 67 out via $oif keep-state

 

# Allow out non-secure standard www function

$cmd 040 $skip tcp from any to any 80 out via $oif setup keep-state

 

# Allow out secure www function https over TLS SSL

$cmd 050 $skip tcp from any to any 443 out via $oif setup keep-state

 

# Allow out send & get email function

$cmd 060 $skip tcp from any to any 25 out via $oif setup keep-state

$cmd 061 $skip tcp from any to any 110 out via $oif setup keep-state

 

# Allow out FreeBSD (make install & CVSUP) functions

# Basically give user root "GOD" privileges.

$cmd 070 $skip tcp from me to any out via $oif setup keep-state uid root

 

# Allow out ping

$cmd 080 $skip icmp from any to any out via $oif keep-state

 

# Allow out Time

$cmd 090 $skip tcp from any to any 37 out via $oif setup keep-state

 

# Allow out nntp news (i.e. news groups)

$cmd 100 $skip tcp from any to any 119 out via $oif setup keep-state

 

# Allow out secure FTP, Telnet, and SCP

# This function is using SSH (secure shell)

$cmd 110 $skip tcp from any to any 22 out via $oif setup keep-state

 

# Allow out whois

$cmd 120 $skip tcp from any to any 43 out via $oif setup keep-state

 

# Allow ntp time server

$cmd 130 $skip udp from any to any 123 out via $oif keep-state

 

#################################################################

# Interface facing Public Internet (Inbound Section)

# Interrogate packets originating from the public Internet

# destine for this gateway server or the private network.

#################################################################

# Deny all inbound traffic from non-routable reserved address spaces

$cmd 300 deny all from 192.168.0.0/16 to any in via $oif #RFC 1918 private IP

$cmd 301 deny all from 172.16.0.0/12 to any in via $oif #RFC 1918 private IP

$cmd 302 deny all from 10.0.0.0/8 to any in via $oif #RFC 1918 private IP

$cmd 303 deny all from 127.0.0.0/8 to any in via $oif #loopback

$cmd 304 deny all from 0.0.0.0/8 to any in via $oif #loopback

$cmd 305 deny all from 169.254.0.0/16 to any in via $oif #DHCP auto-config

$cmd 306 deny all from 192.0.2.0/24 to any in via $oif #reserved for docs

$cmd 307 deny all from 204.152.64.0/23 to any in via $oif #Sun cluster

$cmd 308 deny all from 224.0.0.0/3 to any in via $oif #Class D & E multicast

 

# Deny ident

$cmd 315 deny tcp from any to any 113 in via $oif

 

# Deny all Netbios service. 137=name, 138=datagram, 139=session

# Netbios is MS/Windows sharing services.

# Block MS/Windows hosts2 name server requests 81

$cmd 320 deny tcp from any to any 137 in via $oif

$cmd 321 deny tcp from any to any 138 in via $oif

$cmd 322 deny tcp from any to any 139 in via $oif

$cmd 323 deny tcp from any to any 81 in via $oif

 

# Deny any late arriving packets

$cmd 330 deny all from any to any frag in via $oif

 

# Deny ACK packets that did not match the dynamic rule table

$cmd 332 deny tcp from any to any established in via $oif

 

# Allow traffic in from ISP.s DHCP server. This rule must contain

# the IP address of your ISP.s DHCP server as it.s the only

# authorized source to send this packet type.

# Only necessary for cable or DSL configurations.

# This rule is not needed for .user ppp. type connection to

# the public Internet. This is the same IP address you captured

# and used in the outbound section.

$cmd 360 allow udp from 111.111.111.116 to any 68 in via $oif keep-state

 

# Allow in standard www function because I have apache server

$cmd 370 allow tcp from any to me 80 in via $oif setup limit src-addr 2

$cmd 371 allow tcp from any to me 443 in via $oif setup limit src-addr 10

 

# Allow in secure FTP, Telnet, and SCP from public Internet

$cmd 380 allow tcp from any to me 21 in via $oif setup limit src-addr 2

$cmd 385 allow tcp from any to me 22 in via $oif setup limit src-addr 2

 

# Reject & Log all unauthorized incoming connections from the public Internet

$cmd 400 deny log all from any to any in via $oif

 

# Reject & Log all unauthorized out going connections to the public Internet

$cmd 450 deny log all from any to any out via $oif

 

# This is skipto location for outbound stateful rules

$cmd 800 divert natd ip from any to any out via $oif

$cmd 801 allow ip from any to any

 

# Everything else is denied by default

# deny and log all packets that fell through to see what they are

$cmd 999 deny log all from any to any

 

;;

 

// End

 

 

Thanks in advance for any help

More information about the freebsd-ipfw mailing list