ipfw with four interfaces

Wed Sep 3 05:25:15 PDT 2003

>
> Try having the very first rule divert ip from any to any to natd Then, 
> you
> can configure NATD to only effect RFC1918 packets by adding a -u to the
> command line. NAT will take the packet, process it if it's an RFC 1918
> address, if not, allow it to pass and then reinject it into the 
> firewall at
> rule 2 (or next available rule) and continue processing the ruleset.
>
Like I described I allready use this flag. The problem with having 
divert at the top is that I get thrown off my ssh connection every time 
when I try to reload natd or ipfw. Does it matter if I allow ssh from my 
network before I divert packets to natd?

> I've not been awake for long and have had little to no Mt Dew yet so 
> don't
> hold this against me. Without going over this for awhile, which I 
> recommend
> when doing a firewall, this may be something in the neighborhood that 
> you're
> looking for.
>
> In your /usr/local/etc/natd.sh
>
> #!/bin/sh
> natd -interface xl2  -s -m -u
>
> Or if you start it from rc.conf:
>
> natd_flags="-s -m -u "
>  
>
I use a natd config file with all these flags so that is taken care of.

> The -s tells it to use sockets so that FTP doesn't get broken. You may 
> not
> need this.
> The -m tells natd to attempt to use the same socket as the originating 
> host.
> The -u tells natd to only translate RFC 1918 packets.
>
> In your firewall rules file:
>
> ###############
> # more fwrules
> fwcmd="/sbin/ipfw"
> extif="xl2"
> dmzif="fxp0"
> lanif="xl0"
> motorif="xl1"
> #
> #
> $fwcmd -f flush
> #
> #
> #NATD Divert
> $fwcmd add 1 divert natd all from any to any via xl2
> #
> #You want blocked outbound ports to match early on in the firewall.
> #
> # Blocking ports out to Internet that I don't like:
> $fwcmd add 100 deny tcp from any to any 135-139 out via $extif
> $fwcmd add 100 deny tcp from any to any 445 out via $extif
> #
> #Then your allows:
> #
> #Network Allows
> $fwcmd add 300 allow ip from any to any via $extif
> $fwcmd add 300 allow ip from any to any via $dmxif
> $fwcmd add 300 allow ip from any to any via $lanif
> $fwcmd add 300 allow ip from any to any via $motorif
>  
>
Hm.. You really mean I should add that first allow line there? This four 
rules together is basically the same as ipfw add allow ip from any to 
any isn't it?

> # Allow http to the whole dmz from Internet:
> $fwcmd add 400 allow tcp from any to w.x.y.80/28 http via $extif
> #
> # Allow smtp and pop3 to the mailserver from Internet:
> $fwcmd add 500 allow tcp from any to w.x.y.84 smtp,pop3 via $extif
>  
>
Aren't these two rules overlapping the first 300 rule?

> #Lastly, your denies
> #
> #Network Denies
> #
> # Default Block
> $fwcmd add 65000 deny ip from any to any
>
> Hope this helps you out.
>
>  
>
Haven't been able to try them out yet, but I don't feel allowing  The 
first 300 rule will probably help me having the firewall allowing 
traffic for me, but I wasn't really planning to allow everything in. And 
will deny rules have effect  when the traffic allready is allowed?

Arvinn