Need somw further help on ipfw rules
Anton
anton at sng.by
Tue Jun 23 02:45:59 UTC 2009
Hello freebsd-questions,
Finally, I ve got to work my ipfw firewall with two NATs (one for local resources, provided by ISP, one for VPN - which leads me to
Internet
But I need further help on it :-(
Here is my rules:
#!/bin/sh
ipfw='/sbin/ipfw -q'
mynet='192.168.0.0/24'
myprefix='192.168.0.'
adsl_out='xl0'
vpn_out='ng0'
if_loc='rl0'
gw_loc='10.30.100.5'
route1='81.25.32.5/32'
route2='81.25.32.6/32'
route3='81.25.32.13/32'
route4='81.25.32.15/32'
route5='81.25.32.25/32'
route6='81.25.32.34/32'
route7='81.25.32.30/32'
route8='81.25.32.67/32'
route9='81.25.32.48/32'
route10='81.25.32.40/32'
route11='81.25.32.68/32'
route12='81.25.32.69/32'
route13='81.25.32.70/32'
route14='81.25.32.71/32'
route15='81.25.32.81/32'
route16='81.25.32.82/32'
route17='81.25.32.96/32'
route18='72.167.232.126/32'
route19='81.25.32.97/32'
route20='81.25.34.96/28'
${ipfw} -f flush
${ipfw} table 12 flush
${ipfw} -f pipe flush
${ipfw} -f queue flush
${ipfw} pipe 1 config bw 40Kbyte/s queue 50
${ipfw} pipe 2 config bw 15Kbyte/s queue 50
#Filling IPFW free-res table
${ipfw} table 12 add ${route1}
${ipfw} table 12 add ${route2}
${ipfw} table 12 add ${route3}
${ipfw} table 12 add ${route4}
${ipfw} table 12 add ${route5}
${ipfw} table 12 add ${route6}
${ipfw} table 12 add ${route7}
${ipfw} table 12 add ${route8}
${ipfw} table 12 add ${route9}
${ipfw} table 12 add ${route10}
${ipfw} table 12 add ${route11}
${ipfw} table 12 add ${route12}
${ipfw} table 12 add ${route13}
${ipfw} table 12 add ${route14}
${ipfw} table 12 add ${route15}
${ipfw} table 12 add ${route16}
${ipfw} table 12 add ${route17}
${ipfw} table 12 add ${route18}
${ipfw} table 12 add ${route19}
${ipfw} table 12 add ${route20}
# ICMP
${ipfw} add 1 deny icmp from any to any frag
${ipfw} add 2 deny icmp from any to any in via ${adsl_out} icmptype
5,9,
${ipfw} add 2 deny icmp from any to any in via ${vpn_out} icmptype
5,9,1
${ipfw} add 3 check-state
${ipfw} add 4 allow all from any to any via lo0
${ipfw} add 4 allow all from any to any via ${if_loc}
# Allowing myself everuthin
${ipfw} add 5 allow all from me to any keep-state
#Free res
${ipfw} add 6 divert 8667 ip from table\(12\) to any in via
${adsl_out}<
${ipfw} add 7 divert 8667 ip from any to table\(12\) out via
${adsl_out}
${ipfw} add 8 allow all from ${mynet} to table\(12\) out via
${adsl_out}
${ipfw} add 9 allow all from table\(12\) to ${mynet} in via
${adsl_out}<
#NAT to Internet
${ipfw} add 10 divert 8668 ip from any to any in via ${vpn_out}
${ipfw} add 11 divert 8668 ip from any to not table\(12\) out via
${vpn_
# Deny access to unrouteable networks
${ipfw} add 12 reject all from any to 10.0.0.0/8 in via ${vpn_out}
${ipfw} add 13 reject all from any to 172.16.0.0/12 in via ${adsl_out}
${ipfw} add 14 reject all from any to 172.16.0.0/12 in via ${vpn_out}
${ipfw} add 15 reject all from any to 0.0.0.0/8 in via ${adsl_out}
${ipfw} add 16 reject all from any to 0.0.0.0/8 in via ${vpn_out}
${ipfw} add 17 reject all from any to 169.254.0.0/16 in via
${adsl_out}<
${ipfw} add 18 reject all from any to 169.254.0.0/16 in via ${vpn_out}
# Multicast
${ipfw} add 19 reject all from any to 224.0.0.0/4 in via ${adsl_out}
${ipfw} add 20 reject all from any to 224.0.0.0/4 in via ${vpn_out}
${ipfw} add 21 reject all from any to 240.0.0.0/4 in via ${adsl_out}
${ipfw} add 22 reject all from any to 240.0.0.0/4 in via ${vpn_out}
# Deny access from unrouteable networks
${ipfw} add 23 reject all from 10.0.0.0/8 to any in via ${vpn_out}
${ipfw} add 24 reject all from 172.16.0.0/12 to any in via ${adsl_out}
${ipfw} add 25 reject all from 172.16.0.0/12 to any in via ${vpn_out}
${ipfw} add 26 reject all from 0.0.0.0/8 to any in via ${adsl_out}
${ipfw} add 27 reject all from 0.0.0.0/8 to any in via ${vpn_out}
${ipfw} add 28 reject all from 169.254.0.0/16 to any in via
${adsl_out}<
${ipfw} add 29 reject all from 169.254.0.0/16 to any in via ${vpn_out}
# Multicast
${ipfw} add 30 reject all from 224.0.0.0/4 to any in via ${adsl_out}
${ipfw} add 31 reject all from 224.0.0.0/4 to any in via ${vpn_out}
${ipfw} add 32 reject all from 240.0.0.0/4 to any in via ${adsl_out}
${ipfw} add 33 reject all from 240.0.0.0/4 to any in via ${vpn_out}
#Sasser&Netbios
${ipfw} add 34 reject tcp from any to any 137-139,445,1022,1023
${ipfw} add 35 reject tcp from any 137-139,445,1022,1023 to any
${ipfw} add 36 reject udp from any to any 137-139,445,1022,1023
${ipfw} add 37 reject udp from any 137-139,445,1022,1023 to any
#Other Defence
${ipfw} add 38 reject tcp from any to any not established tcpflags fin
${ipfw} add 39 reject tcp from any to any tcpflags fin, syn, rst, psh,
a
${ipfw} add 40 reject tcp from any to any tcpflags !fin, !syn, !rst,
!ps
${ipfw} add 41 deny log ip from any to any not verrevpath in
${ipfw} add 42 deny tcp from any to any 20-23,1900,2869,3389,5900 in
via
${ipfw} add 43 deny tcp from any to any 20-23,1900,2869,3389,5900 in
via
${ipfw} add 44 deny udp from any to any 1900,2869 in via ${adsl_out}
${ipfw} add 45 deny udp from any to any 1900,2869 in via ${vpn_out}
#Hosts with evereday acces
${ipfw} add 80 pipe 2 all from ${myprefix}50 to any out via ${vpn_out}
${ipfw} add 81 pipe 1 all from any to ${myprefix}50 in via ${vpn_out}
${ipfw} add 82 allow all from ${myprefix}50 to any out via ${vpn_out}
${ipfw} add 83 allow all from any to ${myprefix}50 in via ${vpn_out}
${ipfw} add 84 allow all from ${myprefix}51 to any out via ${vpn_out}
${ipfw} add 85 allow all from any to ${myprefix}51 out via ${vpn_out}
${ipfw} add 86 pipe 2 all from ${myprefix}52 to any out via ${vpn_out}
${ipfw} add 87 pipe 1 all from any to ${myprefix}52 out via ${vpn_out}
${ipfw} add 88 allow all from ${myprefix}52 to any out via ${vpn_out}
${ipfw} add 89 allow all from any to ${myprefix}52 out via ${vpn_out}
${ipfw} add 90 allow all from ${myprefix}70 to any out via ${vpn_out}
${ipfw} add 91 allow all from any to ${myprefix}70 out via ${vpn_out}
${ipfw} add 92 allow all from ${myprefix}71 to any out via ${vpn_out}
${ipfw} add 93 allow all from any to ${myprefix}71 out via ${vpn_out}
${ipfw} add 94 allow all from ${myprefix}250 to any out via ${vpn_out}
${ipfw} add 95 allow all from any to ${myprefix}250 out via ${vpn_out}
${ipfw} add 27199 allow all from me to any
${ipfw} add 27200 deny log logamount 50000 all from any to any
echo "Loaded"
I still could not get two things:
1) Why, if there is no rule 27199 - I have n Internet from IP 192.168.0.50. Also, if I delete rule 83 - ident ically, I have no access to Internet (it is after VPN), but I have
access t
2) I need to organize everyday access for al network by ports 27015-27050 TCP and UDP (it is Steam & C ounter-Strike)
Adding the rules like this: allow tcp from ${mynet} to any 27015-27050
o via ${vpn_ ${vpn_out}, a ${vpn_out} - doesnot helps
--
--
Best regards,
Anton
Administrator
Feel free to contact me
via ICQ 363780596
via Skype dobryak47
via phone +375 29 3320987
References
1. 3D"mailto:anton at sng.by"
More information about the freebsd-questions
mailing list