dialup firewalling

Thomas Wolf tw at wsf.at
Thu Jan 22 00:33:26 PST 2004 

Marc Silver <marcs at draenor.org> schrieb:

> Hi guys,
> 
> Thanks very much.  You have all been fantastic, and a great help to me.
> I've revised the document to use PPP NAT, and amended the ruleset as
> below:
> 
> # Define the firewall command (as in /etc/rc.firewall) for easy
> # reference.  Helps to make it easier to read.
> fwcmd="/sbin/ipfw"
> 
> # Define our outside interface.  With userland-ppp this
> # defaults to tun0.
> oif="tun0"

Assuming that you are building a gateway for your lan, 
you will need some rules for your internal interface too, so:

iif="fxp0"   # whatever your internal if is ...

> 
> # Force a flushing of the current rules before we reload.
> $fwcmd -f flush
> 
> # Allow all connections that we initiate, and keep their state,
> # but deny established connections that don't have a dynamic rule.
> $fwcmd add check-state

Suggestion - Stop spoofing on your outside interface:
$fwcmd add deny ip from any to any in via $oif not verrevpath

> $fwcmd add allow ip from me to any out via $oif keep-state
> $fwcmd add deny tcp from any to any established in via $oif
> 

Somewhere, you have to allow the traffic lan -> wan to
enter your gateway:

$fwcmd add allow ip from any to not me in via $iif

(if you allow your lan to access all services
on your gateway, you could also do:
$fwcmd add allow ip from any to any via $iif)

allowing traffic via lo0 as Tony suggested is also a good idea..

$fwcmd add allow all from any to any via lo0
$fwcmd add deny all from any to 127.0.0.0/8
$fwcmd add deny ip from 127.0.0.0/8 to any

> # Allow internet users to connect to the port 22 and 80.
> # This example specifically allows connections to the sshd and a
> # webserver.
> $fwcmd add allow tcp from any to me dst-port 22,80 in via $oif setup keep-state

If you do not have the 'any to any via $iif' - rule, you should
specify the services on the gateway allowed for the lan:

$fwcmd add allow tcp from any to me dst-port 22,80 in via $iif setup keep-state

> 
> # Allow ICMP packets: remove type 8 if you don't want your host
> # to be pingable.
> $fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12
> 
> # Deny and log all the rest.
> $fwcmd add deny log ip from any to any

Personally, I prefer to 'reset' or 'unreach' instead of 'deny' 
but that's a matter of personal taste. I suggest to
reset at least incoming packets to port 113, avoiding delays
when accessing your mailserver.

Thomas

--
Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4

More information about the freebsd-ipfw mailing list