ipfw with four interfaces
Arvinn Lokkebakken
arvinn at sandakerveien.net
Wed Sep 3 05:25:15 PDT 2003
>
> Try having the very first rule divert ip from any to any to natd Then,
> you
> can configure NATD to only effect RFC1918 packets by adding a -u to the
> command line. NAT will take the packet, process it if it's an RFC 1918
> address, if not, allow it to pass and then reinject it into the
> firewall at
> rule 2 (or next available rule) and continue processing the ruleset.
>
Like I described I allready use this flag. The problem with having
divert at the top is that I get thrown off my ssh connection every time
when I try to reload natd or ipfw. Does it matter if I allow ssh from my
network before I divert packets to natd?
> I've not been awake for long and have had little to no Mt Dew yet so
> don't
> hold this against me. Without going over this for awhile, which I
> recommend
> when doing a firewall, this may be something in the neighborhood that
> you're
> looking for.
>
> In your /usr/local/etc/natd.sh
>
> #!/bin/sh
> natd -interface xl2 -s -m -u
>
> Or if you start it from rc.conf:
>
> natd_flags="-s -m -u "
>
>
I use a natd config file with all these flags so that is taken care of.
> The -s tells it to use sockets so that FTP doesn't get broken. You may
> not
> need this.
> The -m tells natd to attempt to use the same socket as the originating
> host.
> The -u tells natd to only translate RFC 1918 packets.
>
> In your firewall rules file:
>
> ###############
> # more fwrules
> fwcmd="/sbin/ipfw"
> extif="xl2"
> dmzif="fxp0"
> lanif="xl0"
> motorif="xl1"
> #
> #
> $fwcmd -f flush
> #
> #
> #NATD Divert
> $fwcmd add 1 divert natd all from any to any via xl2
> #
> #You want blocked outbound ports to match early on in the firewall.
> #
> # Blocking ports out to Internet that I don't like:
> $fwcmd add 100 deny tcp from any to any 135-139 out via $extif
> $fwcmd add 100 deny tcp from any to any 445 out via $extif
> #
> #Then your allows:
> #
> #Network Allows
> $fwcmd add 300 allow ip from any to any via $extif
> $fwcmd add 300 allow ip from any to any via $dmxif
> $fwcmd add 300 allow ip from any to any via $lanif
> $fwcmd add 300 allow ip from any to any via $motorif
>
>
Hm.. You really mean I should add that first allow line there? This four
rules together is basically the same as ipfw add allow ip from any to
any isn't it?
> # Allow http to the whole dmz from Internet:
> $fwcmd add 400 allow tcp from any to w.x.y.80/28 http via $extif
> #
> # Allow smtp and pop3 to the mailserver from Internet:
> $fwcmd add 500 allow tcp from any to w.x.y.84 smtp,pop3 via $extif
>
>
Aren't these two rules overlapping the first 300 rule?
> #Lastly, your denies
> #
> #Network Denies
> #
> # Default Block
> $fwcmd add 65000 deny ip from any to any
>
> Hope this helps you out.
>
>
>
Haven't been able to try them out yet, but I don't feel allowing The
first 300 rule will probably help me having the firewall allowing
traffic for me, but I wasn't really planning to allow everything in. And
will deny rules have effect when the traffic allready is allowed?
Arvinn
More information about the freebsd-questions
mailing list