Deny action doest work on my fbsd box
Abu Khaled
khaled.abu at gmail.com
Wed Jun 22 12:44:11 GMT 2005
On 6/22/05, James <apach3s at yahoo.com> wrote:
> Hi! I used freebsd version 4.11 and Im new on ipfirewall (ipfw).
> I've been started reading ipfw this month and my mind getting
> something confused. I read handbook on IPFW and still Im dont
> understand, not a whole but I understand little.
>
> This is my network diagram:
> ----------
> ISP > DSL Modem > DSL Router > (a)FBSD SERVER(b) >
> TWO-PC-CLIENTS
> ----------
>
> My `FBSD SERVER` has two ethernet. (a)vr0 (192.168.0.2 |
> 255.255.255.0) and (b)rl0 (172.16.20.1 | 255.255.255.0).. My
> `TWO-PC-CLIENTS` have an IP Address of 172.16.20.11 and
> 172.16.20.12.. Now I had been successfully setup and configure
> NATD to share the Internet Connection sharing to the
> TWO-PC-CLIENTS that was I followed from
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html
> ..
>
> Now I want to test how ipfw works and if it is effectively work
> on my fbsd box to block such TWO-PC-CLIENTS from ssh, browsing,
> and etc.. But I was failed and it doesnt work to block the port
> 22, 80 and still the TWO-PC-CLIENTS can browse and SSH on my
> fbsd box. here is my rc.conf, natd.conf and rules.firewall file
> from
>
> http://www.rootshell.be/~jam3s/file.txt
>
> My question is, how can i block ports 22 and 80 so that the
> TWO-PC-CLIENTS and other I wanted to block/deny will work? I do
> reading rc.firewall and dont understand it very well :).. I hope
> anyone could help me... If you have a nice tutorial for the
> basic ipfw commands that much easy to understand, just tell me
> :)..
>
> thanks in advanced..
>
> james
>
Take a look on my example rules and change them as needed.
# /etc/rc.conf
firewall_enable="YES"
firewall_type="/etc/ipfw.rules"
# /etc/rc.conf - end
# /etc/ipfw.rules
# nat
add divert natd ip from any to any via vr0
# allow all via loopback interface and antispoof 127.0.0.1
add allow all from any to any via lo0
add deny ip from 127.0.0.0/8 to any
add deny ip from any to 127.0.0.0/8
# some icmp rules for external interface (vr0)
add allow icmp from any to any in via vr0 icmptypes 0,3,11
add allow icmp from any to any out via vr0 icmptypes 8
# some icmp fules for internal network (rl0)
all allow icmp from any to any via rl0 icmptypes 0,3,8,11
# stateful rules for freebsd box
add allow tcp from me to any setup keep-state
add allow udp from me to any keep-state
#
# 'me' expands automaticly to any ip running on the FreeBSD box
# in your case 192.168.0.2 and 172.16.20.1 so you do not have
# to write two rules for them
#
# here we can put rules to allow local and/or external clients
# to access the FreeBSD box
# for example a dns server on port 53 'udp' for local clients
# add allow udp from any to me 53 via rl0 keep-state
#
# deny everyone from accessing my FreeBSD box
add deny all from any to me
# deny local clients (rl0) from accessing port 80 and 22
add deny tcp from any to any 80,22 via rl0
#
# I am not sure how to statefull filter rules for
# clients behind nat (local network) so you might
# just use firewalls on the clients and pass all on FreeBSD
# rules for local network
add allow tcp from any to any via rl0
add allow udp from any to any via rl0
# deny everything else (if allready not default)
add deny all from any to any
# /etc/ipfw.rules - end
Check man ipfw for more information.
And one last point, I started to use PF so things mixup for me from
time to time. So wait for others to review the rules and advice or
modify
--
Kind regards
Abu Khaled
More information about the freebsd-ipfw
mailing list