ipfw firewall help

[G Bryant]

   Yup - that would work.
   IPFW also has a built-in command that does the same:
   $cmd deny ip from any to any not antispoof in
   Daemon wrote:

Great!.  Thanks.  One possibly stupid question.  What is the "Deny
Spoof"?  Is that like;
# Stop spoofing of your internal network range
#       ${fwcmd} add deny ip from ${iif} to any in via ${oif}
# Stop spoofing from inside your private ip range
#       ${fwcmd} add deny ip from not ${iif} to any in via ${iif}


G Bryant wrote:
  

Hi,
I found my rules worked best in this order:
(You will need to correct the syntax - just typed up the order for you
quickly)

Deny spoofed
Allow localhost
Allow all from any to any via $iif
divert natd all from any to any in via $oif
#insert bandwidth shaping rules
skipto 5000 all from $iip to any out via $oif
#allow all from any to me in via $oif # if you want to receive traffic
from internet to this box. Your decision if you need it.
deny all from any to any out
allow all from any to $iip in via $oif
#allow all from me to any out via $oif # traffic from this box out to
the internet.  Your decision if you need it.
deny all from any to any in
5000 nat all from any to any out via $oif
allow all from any to any out

This is a very "open" set of rules - your choice.
Hope this helps.
Regards,  Graham


Daemon wrote:

    

I'm trying to build a firewall from scratch using man ipfw and what I
can find on the net.  I'm doing bandwidth shaping and I'm not quite sure
where it goes as far as rule numbers.  From what I can see, it matters
and I'd like to do it right.  I'm using an OPEN firewall with NATD
because I'm on cable broadband with a static IP.  Here is what I have.

00010   52   2446 pipe 1 ip from 172.16.140.0/24 to any xmit re0
00020    0      0 pipe 2 ip from any to 172.16.140.0/24 recv re0
00050  274  24955 divert 8668 ip from any to any via re0
00100   50   5642 allow ip from any to any via lo0
00200    0      0 deny ip from any to 127.0.0.0/8
00300    0      0 deny ip from 127.0.0.0/8 to any
65535 4658 547779 allow ip from any to any

The actual rule set for the bandwidth shaping is:

# Traffic Shaping.
# oif="re0"            # ${oif} Public Interface.
# iif="re1"            # ${iif} Internal nic.
# iip="172.16.140.0/24"        # ${iip}

${fwcmd} add 10 pipe 1 all from ${iip} to any xmit ${oif}
${fwcmd} pipe 1 config mask src-ip 0xffffff00 bw 35Kbits/s queue 40Kbytes

${fwcmd} add 20 pipe 2 all from any to ${iip} recv ${oif}
${fwcmd} pipe 2 config mask dst-ip 0xffffff00 bw 4000Kbits/s queue
40Kbytes

I've found lots of stuff on "how" to set it up but I can't seem to find
anything on where the rules go.  Any help would be greatly appreciated.

Regards,

Mark
_______________________________________________
[1]freebsd-ipfw at freebsd.org mailing list
[2]http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [3]"freebsd-ipfw-unsubscribe at freebsd.org"






_______________________________________________
[4]freebsd-ipfw at freebsd.org mailing list
[5]http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [6]"freebsd-ipfw-unsubscribe at freebsd.org"



_______________________________________________
[7]freebsd-ipfw at freebsd.org mailing list
[8]http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [9]"freebsd-ipfw-unsubscribe at freebsd.org"

References

   1. mailto:freebsd-ipfw at freebsd.org
   2. http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
   3. mailto:freebsd-ipfw-unsubscribe at freebsd.org
   4. mailto:freebsd-ipfw at freebsd.org
   5. http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
   6. mailto:freebsd-ipfw-unsubscribe at freebsd.org
   7. mailto:freebsd-ipfw at freebsd.org
   8. http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
   9. mailto:freebsd-ipfw-unsubscribe at freebsd.org