help me

Gregory Edigarov greg at profi.kharkov.ua
Fri Apr 30 09:14:16 PDT 2004 

Hello,

The following is my rc.firewall.
If I turn on rules no 600-800, everything works just fine, butn
compromising the whole system security, because of the rule 800.
But without it, nothing works. What should I do?

Yet another thing: soon I will need to allow access to natd for the
IP 192.168.7.70 when it is passed from any of the ppp interfaces.
How can I do this?

#!/bin/sh
ipfw -f flush

ipfw add 100 check-state

ipfw add 200 allow all from any to any via lo0

ipfw add 300 deny all from 10.0.0.0/8 to any in via tun0
ipfw add 400 deny all from 172.16.0.0/12 to any in via tun0
ipfw add 500 deny all from 192.168.0.0/16 to any in via tun0

#ipfw add 600 divert natd all from 192.168.5.220 to any out xmit tun0
#ipfw add 700 divert natd all from any to any in recv tun0
#ipfw add 800 allow all from any to any 

ipfw add 900 allow icmp from me to any keep-state
ipfw add 950 allow icmp from 192.168.5.0/24 to me 
ipfw add 1000 deny all from any to any frag
ipfw add 1100 deny all from 192.168.5.0/24 to any xmit tun0
ipfw add 1200 deny all from 192.168.7.0/24 to any xmit tun0

ipfw add 1300 allow gre from 192.168.5.0/24 to me
ipfw add 1400 allow gre from me to any


ipfw add 1500 allow udp from me to any keep-state
ipfw add 1600 allow tcp from me to any keep-state
ipfw add 1700 allow tcp from any to any established
ipfw add 1800 allow tcp from any to me 25 setup
ipfw add 1900 allow tcp from any to me ssh setup
ipfw add 2000 allow tcp from 192.168.7.0/24 to me 3128 setup 
ipfw add 2100 allow tcp from 192.168.7.0/24 to me 2080 setup via ppp\*
ipfw add 2200 allow tcp from 192.168.7.0/24 to me pop3 setup via ppp\*
ipfw add 2300 allow tcp from any to me http setup via tun0
ipfw add 2400 allow tcp from 192.168.7.0/24 to me setup via ppp\*
ipfw add 2500 allow tcp from 192.168.5.0/24 to me pptp setup
ipfw add 2600 allow tcp from 192.168.5.0/24 to me ftp\\-data-ftp setup via sk0
ipfw add 2700 allow udp from 192.168.7.0/24 to me 53 
ipfw add 2800 allow udp from 192.168.5.0/24 to me 53 

ipfw add 2900 allow tcp from any to me 53 setup

ipfw add 3000 deny log all from any to any

-- 
With best regards,
        Gregory Edigarov
------------------------------------------------------------------------------
profi.kharkov.ua                                        Systems Administrator
------------------------------------------------------------------------------

More information about the freebsd-ipfw mailing list