IPFW - Creating my own rules
Rodrigo G. Tavares de Souza
rodrigo at sensorsistemas.com.br
Mon Mar 20 19:29:44 UTC 2006
Hi,
I'm trying to configure the IPFW with no success.
Do I need to configure [in] access to each service allowed?
I have these services:
- Public DNS Server (outside);
- Public POP Server (outside);
- Public SMTP Server (outside);
- Squid as Proxy;
The whole Internet traffic is being redirected to Squid. I need open
DNS, POP and SMTP.
What is wrong with the follow rules file?
Best Regards,
Rodrigo Souza
Sao Paulo - Brazil
-----------------------------------------------
security log file
-----------------------------------------------
Mar 20 15:45:15 bsd-net kernel: ipfw: 450 Deny TCP 207.46.6.75:1863
192.168.0.103:1580 in via rl0
Mar 20 15:45:18 bsd-net kernel: ipfw: 450 Deny UDP 200.153.0.68:53
192.168.0.109:1056 in via rl0
Mar 20 15:45:44 bsd-net kernel: ipfw: 450 Deny UDP 200.153.0.68:53
192.168.0.109:1056 in via rl0
Mar 20 15:45:49 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:110
192.168.0.114:2238 in via rl0
...
Mar 20 15:45:59 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:110
192.168.0.114:2238 in via rl0
Mar 20 15:46:00 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:25
192.168.0.161:2090 in via rl0
Mar 20 15:46:01 bsd-net kernel: ipfw: 450 Deny TCP 200.246.179.88:25
192.168.0.161:2090 in via rl0
-----------------------------------------------
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
pif="rl0"
skip="skipto 500"
ks="keep-state"
$cmd 010 divert 8668 ip from any to any via $pif
$cmd 020 allow all from any to 192.168.0.2
$cmd 030 allow all from any to any via lo0
$cmd 040 fwd 192.168.0.2,3128 tcp from 192.168.0.0/24 to any dst-port 80
# DNS SERVER
# ********************************
$cmd 050 allow tcp from any to 200.153.0.68 53 out via $pif setup $ks
$cmd 055 allow udp from any to 200.153.0.68 53 out via $pif $ks
$cmd 060 allow tcp from any to 200.153.0.192 53 out via $pif setup $ks
$cmd 065 allow udp from any to 200.153.0.192 53 out via $pif $ks
# INTERNET
# ********************************
$cmd 070 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 075 allow tcp from any to any 443 out via $pif setup keep-state
# POP AND SMTP SERVER
# ********************************
$cmd 080 allow tcp from any to 200.246.179.88 25 out via $pif setup $ks
$cmd 085 allow tcp from any to 200.246.179.88 110 out via $pif setup $ks
# FULL root RIGHTS
# ********************************
$cmd 090 allow tcp from me to any out via $pif setup keep-state uid root
# PING
# ********************************
$cmd 110 allow icmp from any to any out via $pif keep-state
# DENY NOT ALLOWED
# ********************************
$cmd 450 deny log all from any to any via $pif
More information about the freebsd-questions
mailing list