Need somw further help on ipfw rules

Anton anton at sng.by
Tue Jun 23 02:45:59 UTC 2009


   Hello freebsd-questions,

     Finally, I ve got to work my ipfw firewall with two NATs (one for   local resources, provided by ISP, one for VPN - which leads me to
   Internet
   But I need further help on it :-(

   Here is my rules:

   #!/bin/sh

   ipfw='/sbin/ipfw -q'

   mynet='192.168.0.0/24'

   myprefix='192.168.0.'

   adsl_out='xl0'

   vpn_out='ng0'

   if_loc='rl0'

   gw_loc='10.30.100.5'

   route1='81.25.32.5/32'

   route2='81.25.32.6/32'

   route3='81.25.32.13/32'

   route4='81.25.32.15/32'

   route5='81.25.32.25/32'

   route6='81.25.32.34/32'

   route7='81.25.32.30/32'

   route8='81.25.32.67/32'

   route9='81.25.32.48/32'

   route10='81.25.32.40/32'

   route11='81.25.32.68/32'

   route12='81.25.32.69/32'

   route13='81.25.32.70/32'

   route14='81.25.32.71/32'

   route15='81.25.32.81/32'

   route16='81.25.32.82/32'

   route17='81.25.32.96/32'

   route18='72.167.232.126/32'

   route19='81.25.32.97/32'

   route20='81.25.34.96/28'

   ${ipfw} -f flush

   ${ipfw} table 12 flush

   ${ipfw} -f pipe flush

   ${ipfw} -f queue flush

   ${ipfw} pipe 1 config bw 40Kbyte/s queue 50

   ${ipfw} pipe 2 config bw 15Kbyte/s queue 50

   #Filling IPFW free-res table

   ${ipfw} table 12 add ${route1}

   ${ipfw} table 12 add ${route2}

   ${ipfw} table 12 add ${route3}

   ${ipfw} table 12 add ${route4}

   ${ipfw} table 12 add ${route5}

   ${ipfw} table 12 add ${route6}

   ${ipfw} table 12 add ${route7}

   ${ipfw} table 12 add ${route8}

   ${ipfw} table 12 add ${route9}

   ${ipfw} table 12 add ${route10}

   ${ipfw} table 12 add ${route11}

   ${ipfw} table 12 add ${route12}

   ${ipfw} table 12 add ${route13}

   ${ipfw} table 12 add ${route14}

   ${ipfw} table 12 add ${route15}

   ${ipfw} table 12 add ${route16}

   ${ipfw} table 12 add ${route17}

   ${ipfw} table 12 add ${route18}

   ${ipfw} table 12 add ${route19}

   ${ipfw} table 12 add ${route20}

   # ICMP

   ${ipfw} add 1 deny icmp from any to any frag

   ${ipfw} add 2 deny icmp from any to any in via ${adsl_out} icmptype
   5,9,
   ${ipfw} add 2 deny icmp from any to any in via ${vpn_out} icmptype
   5,9,1
   ${ipfw} add 3 check-state

   ${ipfw} add 4 allow all from any to any via lo0

   ${ipfw} add 4 allow all from any to any via ${if_loc}

   # Allowing myself everuthin

   ${ipfw} add 5 allow all from me to any keep-state

   #Free res

   ${ipfw} add 6 divert 8667 ip from table\(12\) to any in via
   ${adsl_out}<
   ${ipfw} add 7 divert 8667 ip from any to table\(12\) out via
   ${adsl_out}
   ${ipfw} add 8 allow all from ${mynet} to table\(12\) out via
   ${adsl_out}
   ${ipfw} add 9 allow all from table\(12\) to ${mynet} in via
   ${adsl_out}<
   #NAT to Internet

   ${ipfw} add 10 divert 8668 ip from any to any in via ${vpn_out}

   ${ipfw} add 11 divert 8668 ip from any to not table\(12\) out via
   ${vpn_
   # Deny access to unrouteable networks

   ${ipfw} add 12 reject all from any to 10.0.0.0/8 in via ${vpn_out}

   ${ipfw} add 13 reject all from any to 172.16.0.0/12 in via ${adsl_out}

   ${ipfw} add 14 reject all from any to 172.16.0.0/12 in via ${vpn_out}

   ${ipfw} add 15 reject all from any to 0.0.0.0/8 in via ${adsl_out}

   ${ipfw} add 16 reject all from any to 0.0.0.0/8 in via ${vpn_out}

   ${ipfw} add 17 reject all from any to 169.254.0.0/16 in via
   ${adsl_out}<
   ${ipfw} add 18 reject all from any to 169.254.0.0/16 in via ${vpn_out}

   # Multicast

   ${ipfw} add 19 reject all from any to 224.0.0.0/4 in via ${adsl_out}

   ${ipfw} add 20 reject all from any to 224.0.0.0/4 in via ${vpn_out}

   ${ipfw} add 21 reject all from any to 240.0.0.0/4 in via ${adsl_out}

   ${ipfw} add 22 reject all from any to 240.0.0.0/4 in via ${vpn_out}

   # Deny access from unrouteable networks

   ${ipfw} add 23 reject all from 10.0.0.0/8 to any in via ${vpn_out}

   ${ipfw} add 24 reject all from 172.16.0.0/12 to any in via ${adsl_out}

   ${ipfw} add 25 reject all from 172.16.0.0/12 to any in via ${vpn_out}

   ${ipfw} add 26 reject all from 0.0.0.0/8 to any in via ${adsl_out}

   ${ipfw} add 27 reject all from 0.0.0.0/8 to any in via ${vpn_out}

   ${ipfw} add 28 reject all from 169.254.0.0/16 to any in via
   ${adsl_out}<
   ${ipfw} add 29 reject all from 169.254.0.0/16 to any in via ${vpn_out}

   # Multicast

   ${ipfw} add 30 reject all from 224.0.0.0/4 to any in via ${adsl_out}

   ${ipfw} add 31 reject all from 224.0.0.0/4 to any in via ${vpn_out}

   ${ipfw} add 32 reject all from 240.0.0.0/4 to any in via ${adsl_out}

   ${ipfw} add 33 reject all from 240.0.0.0/4 to any in via ${vpn_out}

   #Sasser&Netbios

   ${ipfw} add 34 reject tcp from any to any 137-139,445,1022,1023

   ${ipfw} add 35 reject tcp from any 137-139,445,1022,1023 to any

   ${ipfw} add 36 reject udp from any to any 137-139,445,1022,1023

   ${ipfw} add 37 reject udp from any 137-139,445,1022,1023 to any

   #Other Defence

   ${ipfw} add 38 reject tcp from any to any not established tcpflags fin

   ${ipfw} add 39 reject tcp from any to any tcpflags fin, syn, rst, psh,
   a
   ${ipfw} add 40 reject tcp from any to any tcpflags !fin, !syn, !rst,
   !ps
   ${ipfw} add 41 deny log ip from any to any not verrevpath in

   ${ipfw} add 42 deny tcp from any to any 20-23,1900,2869,3389,5900 in
   via
   ${ipfw} add 43 deny tcp from any to any 20-23,1900,2869,3389,5900 in
   via
   ${ipfw} add 44 deny udp from any to any 1900,2869 in via ${adsl_out}

   ${ipfw} add 45 deny udp from any to any 1900,2869 in via ${vpn_out}

   #Hosts with evereday acces

   ${ipfw} add 80 pipe 2 all from ${myprefix}50 to any out via ${vpn_out}

   ${ipfw} add 81 pipe 1 all from any to ${myprefix}50 in via ${vpn_out}

   ${ipfw} add 82 allow all from ${myprefix}50 to any out via ${vpn_out}

   ${ipfw} add 83 allow all from any to ${myprefix}50 in via ${vpn_out}

   ${ipfw} add 84 allow all from ${myprefix}51 to any out via ${vpn_out}

   ${ipfw} add 85 allow all from any to ${myprefix}51 out via ${vpn_out}

   ${ipfw} add 86 pipe 2 all from ${myprefix}52 to any out via ${vpn_out}

   ${ipfw} add 87 pipe 1 all from any to ${myprefix}52 out via ${vpn_out}

   ${ipfw} add 88 allow all from ${myprefix}52 to any out via ${vpn_out}

   ${ipfw} add 89 allow all from any to ${myprefix}52 out via ${vpn_out}

   ${ipfw} add 90 allow all from ${myprefix}70 to any out via ${vpn_out}

   ${ipfw} add 91 allow all from any to ${myprefix}70 out via ${vpn_out}

   ${ipfw} add 92 allow all from ${myprefix}71 to any out via ${vpn_out}

   ${ipfw} add 93 allow all from any to ${myprefix}71 out via ${vpn_out}

   ${ipfw} add 94 allow all from ${myprefix}250 to any out via ${vpn_out}

   ${ipfw} add 95 allow all from any to ${myprefix}250 out via ${vpn_out}

   ${ipfw} add 27199 allow all from me to any

   ${ipfw} add 27200 deny log logamount 50000 all from any to any

   echo "Loaded"

   I still could not get two things:

          1) Why, if there is no rule 27199 - I have n   Internet from IP 192.168.0.50. Also, if I delete rule 83 - ident   ically, I have no access to Internet (it is after VPN), but I have
   access t
          2) I need to organize everyday access for al   network by ports 27015-27050 TCP and UDP (it is Steam & C   ounter-Strike)

   Adding the rules like this: allow tcp from ${mynet} to any 27015-27050
   o   via ${vpn_   ${vpn_out}, a   ${vpn_out} - doesnot helps
   --

   --

   Best regards,

    Anton            
    Administrator

   Feel free to contact me

   via ICQ 363780596

   via Skype dobryak47

   via phone +375 29 3320987

References

   1. 3D"mailto:anton at sng.by"


More information about the freebsd-questions mailing list