Firewall
Adolfo B. Ferreira
bitchat at hotpop.com
Tue Mar 1 20:25:29 GMT 2005
Hi,
I set up a firewall in my freebsd box using ipfw.conf and its working
fine.
I'm running on my firewall ( i know its not recommended ) smtp server
and all my services is working fine but smtp is not receiving incomming
connections from outside(internet).
I would like to show my ipfw rules and get some answer why its not
working.
Thanks Guys, here is my firewall:
# QoS: LAN
pipe 10 config mask src-ip 0xfffffff0 bw 40Kbit/s # LAN Upload
pipe 20 config mask dst-ip 0xfffffff0 bw 20Kbit/s # Lan Download
# QoS: SERVICES
pipe 30 config bw 120Kbit/s queue 6Kbytes # FTP
pipe 40 config mask bw 75Kbit/s # SMTP
pipe 50 config mask bw 70Kbit/s # DNS TCP
pipe 60 config mask bw 300Kbit/s queue 20Kbytes # WEB / SSL
pipe 70 config mask bw 75Kbit/s # POP3
# DEVICE: lo0
add 100 allow all from any to any via lo0
add 101 allow tcp from any to 127.0.0.1 110
add 102 deny ip from any to 127.0.0.0/8
# LAN: NAT
add 200 divert natd ip from any to any in via rl0
# LAN: IN
add 300 allow tcp from 10.1.1.0/28 to 10.1.1.1 22,139,445 in via vr0
add 400 allow udp from 10.1.1.0/28 to 10.1.1.1 137,138 in via vr0
# CHECK STATE
add 500 check-state
# DNS: SYNC
add 600 allow ip from any to any 53 via rl0
add 601 allow ip from any 53 to any via rl0
# DHCP: CLIENT
add 700 allow udp from any to 10.12.0.1 67 out via rl0
# LAN: ROOT
add 800 allow tcp from me to any out via rl0 setup keep-state uid root
# LAN: OUT
add 900 skipto 2000 tcp from any to any 80 out via rl0 setup
keep-state
add 901 skipto 2000 tcp from any to any 443 out via rl0 setup
keep-state
add 902 skipto 2000 tcp from any to any 25 out via rl0 setup
keep-state
add 903 skipto 2000 tcp from any to any 110 out via rl0 setup
keep-state
add 905 skipto 2000 icmp from any to any out via rl0 icmptypes 8
add 906 skipto 2000 tcp from any to any 20,21 out via rl0 setup
keep-state
add 907 skipto 2000 tcp from any to any 43 out via rl0 setup
keep-state
add 909 skipto 2000 tcp from any to any 1755 out via rl0 setup
keep-state
add 910 skipto 2000 tcp from any to any 1863 out via rl0 setup
keep-state
add 911 skipto 2000 tcp from any to any 2222 out via rl0 setup
keep-state
add 912 skipto 2000 tcp from any to any 6667 out via rl0 setup
keep-state
#add 913 skipto 2000 tcp from any to any 1-4000 out via rl0 setup
keep-state
# NETCRAFT
add 1000 deny all from 195.92.95.0/32 to any in via rl0
add 1100 allow icmp from any to any in via rl0 icmptypes 0
# ICMP: BLOCK PING
add 1101 prob 0.2 allow icmp from any to 201.6.24.17 in via rl0
icmptypes 8
add 1102 prob 0.2 allow icmp from 201.6.24.17 to any out via rl0
icmptypes 0
# LAN: RFC
add 1200 deny all from 192.168.0.0/16 to any in via rl0
add 1220 deny all from 172.16.0.0/12 to any in via rl0
add 1240 deny all from 127.0.0.0/8 to any in via rl0
add 1250 deny all from 0.0.0.0/8 to any in via rl0
add 1260 deny all from 169.254.0.0/16 to any in via rl0
add 1270 deny all from 192.0.2.0/24 to any in via rl0
add 1280 deny all from 204.152.64.0/23 to any in via rl0
add 1290 deny all from 224.0.0.0/3 to any in via rl0
# INTERNET: FRAG
add 1300 deny all from any to any frag in via rl0
# INTERNET: STATE STABLE
add 1400 deny ip from any to any established in via rl0
# DHCP: CLIENT
add 1500 allow udp from 10.12.0.1 to any 68 in via rl0 keep-state
# INTERNET: SERVICES IN
add 1600 pipe 30 ip from any to 201.6.24.17 20,21 in via rl0 setup limit
src-addr 2
add 1601 pipe 40 tcp from any to 201.6.24.17 25 in via rl0
add 1602 pipe 50 ip from any to 201.6.24.17 53 in via rl0 setup limit
src-addr 2
add 1603 pipe 60 tcp from any to 201.6.24.17 80,443 in via rl0 setup
limit src-addr 2
add 1604 pipe 70 tcp from any to 201.6.24.17 995 in via rl0 setup limit
src-addr 2
# DENY / LOG
add 1800 deny log all from any to any out via rl0
add 1900 deny log all from any to any in via rl0
# LAN: NAT
add 2000 divert natd ip from any to any out via rl0
add 2001 allow ip from any to any
Adolfo Bravo Ferreira
Admninistrador de Redes / Analista de Segurança / Desenvolvedor
Grupo Ferreira Limitada
Telefone: 11 50628877
Adolfo Bravo Ferreira
Admninistrador de Redes / Analista de Segurança / Desenvolvedor
Grupo Ferreira Limitada
Telefone: 11 50628877
More information about the freebsd-questions
mailing list