IPFW - Creating my own rules

Rodrigo G. Tavares de Souza rodrigo at sensorsistemas.com.br
Mon Mar 20 19:29:44 UTC 2006 

Hi,

    I'm trying to configure the IPFW with no success.
    Do I need to configure [in] access to each service allowed?
    I have these services:
      - Public DNS Server (outside);
      - Public POP Server (outside);
      - Public SMTP Server (outside);
      - Squid as Proxy;

   The whole Internet traffic is being redirected to Squid. I need open 
DNS, POP and SMTP.
   What is wrong with the follow rules file?

Best Regards,
Rodrigo Souza
Sao Paulo - Brazil

-----------------------------------------------
security log file
-----------------------------------------------
Mar 20 15:45:15 bsd-net kernel: ipfw: 450 Deny TCP 207.46.6.75:1863 
192.168.0.103:1580 in via rl0
Mar 20 15:45:18 bsd-net kernel: ipfw: 450 Deny UDP 200.153.0.68:53 
192.168.0.109:1056 in via rl0
Mar 20 15:45:44 bsd-net kernel: ipfw: 450 Deny UDP 200.153.0.68:53 
192.168.0.109:1056 in via rl0
Mar 20 15:45:49 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:110 
192.168.0.114:2238 in via rl0
...
Mar 20 15:45:59 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:110 
192.168.0.114:2238 in via rl0
Mar 20 15:46:00 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:25 
192.168.0.161:2090 in via rl0
Mar 20 15:46:01 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:25 
192.168.0.161:2090 in via rl0
-----------------------------------------------
#!/bin/sh
ipfw -q -f flush

cmd="ipfw -q add"
pif="rl0"
skip="skipto 500"
ks="keep-state"

$cmd 010 divert 8668 ip from any to any via $pif
$cmd 020 allow all from any to 192.168.0.2
$cmd 030 allow all from any to any via lo0
$cmd 040 fwd 192.168.0.2,3128 tcp from 192.168.0.0/24 to any dst-port 80

# DNS SERVER
# ********************************
$cmd 050 allow tcp from any to 200.153.0.68 53 out via $pif setup $ks
$cmd 055 allow udp from any to 200.153.0.68 53 out via $pif $ks

$cmd 060 allow tcp from any to 200.153.0.192 53 out via $pif setup $ks
$cmd 065 allow udp from any to 200.153.0.192 53 out via $pif $ks

# INTERNET
# ********************************
$cmd 070 allow tcp from any to any 80  out via $pif setup keep-state
$cmd 075 allow tcp from any to any 443 out via $pif setup keep-state

# POP AND SMTP SERVER
# ********************************
$cmd 080 allow tcp from any to 200.246.179.88 25  out via $pif setup $ks
$cmd 085 allow tcp from any to 200.246.179.88 110 out via $pif setup $ks

# FULL root RIGHTS
# ********************************
$cmd 090 allow tcp from me to any out via $pif setup keep-state uid root

# PING
# ********************************
$cmd 110 allow icmp from any to any out via $pif keep-state

# DENY NOT ALLOWED
# ********************************
$cmd 450 deny log all from any to any via $pif

More information about the freebsd-questions mailing list