Firewall rules
Alex de Kruijff
freebsd at akruijff.dds.nl
Sun Jun 20 14:26:11 PDT 2004
On Wed, Jun 16, 2004 at 01:32:58AM +0100, Robert Downes wrote:
> JJB wrote:
>
> >Fundamentally his keep-state rules work and yours don't.
> >
> I have used his script exactly, modifying only for the differences in my
> ISP's addresses. Everything works as before, and still the check-state
> rule is showing zero packets and zero bytes, even though keep-state
> rules have been triggered. Are you sure this is not just a quirk of IPFW?
>
> > The use of
> >the skipto rule to control what ip address goes into the dynamic
> >keep-state table, IE the lan ip or the natd public ip. The bottom
> >line is native ipfw with natd and stateful rules does not work
> >together at all, unless you do some gymnastics with skipto rule so
> >the dynamic keep-state table always has the private lan ip address
> >for matching against.
> >
> Yes, this is the mechanism I cannot find a clear explanation for. Can
> you recommend a link to a page that defines how IPFW stumbles on NAT and
> keep-state, because I've read and re-read the IPFW man page, and it does
> me no good whatsoever.
NAT and keep-state doesn't go to getter because NAT changes the ip
address and this cause ipfw not to recornise the rules. The trick is to
allow changed traffic afther its bin passed though natd.
# There's no need passing these though natd
20510 check-state
20520 skipto 20600 ip from not 192.168.31.0/24 to any out
20520 skipto 20600 ip from any to not 213.10.151.186 in
# Passing packets that could change though natd
20530 divert 8668 ip from any to any
# Allowing changed traffic.
20550 allow ip from 213.10.151.186 to any out
20550 allow ip from any to not 213.10.151.186 in
# keep-state rules here
...
> > Second problem is you are
> >allowing every thing out your firewall. This is very bad as it
> >allows out any trojons or spy-ware from windows boxs on your lan so
> >thet can report their harvested info to the person who planted them.
> >Take control of your firewall and only allow out the exact services
> >you know you are using.
> >
> No arguments there. I'm running ZoneAlarm on all Windows boxes, but it's
> still better to aim for traffic to be killed on sight by the router.
In this case you should write something lile:
20550 allow ip from 213.10.151.186 80 to any out
20550 allow ip from any 80 to not 213.10.151.186 in
--
Alex
Articles based on solutions that I use:
http://www.kruijff.org/alex/FreeBSD/
More information about the freebsd-questions
mailing list