ipfw, 2 scripts

Gregory Edigarov greg at profi.kharkov.ua
Fri May 28 02:23:21 PDT 2004 

Hello,


bellow you will find 2 ipfw scripts, first one working, and second
is a very good looking, but not working.
what am I missing in the second script?

---- first script starts here ---
#!/bin/sh
ipfw -f flush

ipfw add 1 check-state


ipfw add 100 allow all from any to any via lo0

ipfw add deny all from 10.0.0.0/8 to any in via tun0
ipfw add deny all from 172.16.0.0/12 to any in via tun0
ipfw add deny all from 192.168.0.0/16 to any in via tun0

ipfw add deny all from any to any frag
ipfw add divert natd all from any to 195.5.17.86 in

ipfw add allow icmp from me to any 
ipfw add allow icmp from any to me 


ipfw add allow gre from 192.168.5.0/24 to me
ipfw add allow gre from me to any

ipfw add allow tcp from me to any keep-state
ipfw add allow udp from me to any keep-state
ipfw add allow udp from any to me 53
ipfw add allow tcp from any to any established
ipfw add allow tcp from any to me 25 setup
ipfw add allow tcp from any to me ssh setup
ipfw add allow tcp from any to me http setup via tun0
ipfw add allow tcp from 192.168.7.0/24 to me 3128 setup via ppp\*
ipfw add allow tcp from 192.168.7.0/24 to me 2080 setup via ppp\*
ipfw add allow tcp from 192.168.7.0/24 to me pop3 setup via ppp\*
ipfw add allow tcp from 192.168.5.0/24 to me pptp setup
ipfw add allow tcp from 192.168.5.0/24 to me ftp\\-data-ftp setup via em0
ipfw add allow tcp from any to me 53 setup


ipfw add skipto 10000 all from 192.168.7.40 to any in keep-state
ipfw add skipto 10000 all from 192.168.7.65 to any in keep-state
ipfw add skipto 10000 all from 192.168.7.100 to any in keep-state
ipfw add deny all from any to any

ipfw add 10000 divert natd all from 192.168.7.40 to any out keep-state
ipfw add divert natd all from 192.168.7.65 to any out keep-state
ipfw add divert natd all from 192.168.7.100 to any out keep-state
ipfw add allow all from any to any
---- first script ends here ----

after some more thinking I have decided to structurize the firewall
behavior, i.e. I wanted to have different sets of rules for 2 my
nets, plus one for nat.
Here's how I've tryed to do it:

---- second script starts here ----

#!/bin/sh
ipfw -f flush

ipfw add 1 check-state

ipfw add deny all from 10.0.0.0/8 to 195.5.17.86
ipfw add deny all from 172.16.0.0/16 to 195.5.17.86
ipfw add deny all from 192.168.0.0/16 to 195.5.17.86

ipfw add deny all from any to any frag

ipfw add allow udp from me to any keep-state
ipfw add allow tcp from me to any keep-state
ipfw add allow icmp from me to any keep-state
ipfw add allow all from me to any


ipfw add allow tcp from any to any established

ipfw add skipto 1000 all from any to 195.5.17.86 in via tun0
ipfw add skipto 2000 all from 192.168.5.0/24 to me in via em0
ipfw add skipto 3000 all from 192.168.7.0/24 to me in via ppp\*
ipfw add skipto 4000 all from 192.168.5.0/24 to not me via em0
ipfw add skipto 5000 all from 10.100.105.0/24 to not me via em0
ipfw add skipto 6000 all from 192.168.7.0/24 to not me out xmit tun0
ipfw add deny log all from any to any  

ipfw add 1000 divert natd all from any to 195.5.17.86

ipfw add allow tcp from any to me smtp setup
ipfw add allow tcp from any to me ssh setup
ipfw add allow tcp from any to me domain setup
ipfw add deny all from any to any

ipfw add 2000 allow tcp from 192.168.5.0/24 to me ftp\\-data-ftp setup
ipfw add allow tcp from 192.168.5.0/24 to me pptp setup
ipfw add allow udp from 192.168.5.0/24 to me 53
ipfw add allow icmp from 192.168.5.0/24 to me 
ipfw add allow gre from 192.168.5.0/24 to me 
ipfw add deny all from any to any

ipfw add 3000 allow tcp from 192.168.7.0/24 to me 3128 setup
ipfw add allow tcp from 192.168.7.0/24 to me 2080 setup
ipfw add allow tcp from 192.168.7.0/24 to me 25 setup
ipfw add allow tcp from 192.168.7.0/24 to me 80 setup
ipfw add allow tcp from 192.168.7.0/24 to me 110 setup
ipfw add allow udp from 192.168.7.0/24 to me 53 

ipfw add deny all from any to any

ipfw add 4000 allow all from any to 10.100.105.0/24 via em0
ipfw add deny all from any to any

ipfw add 5000 deny all from 10.100.105.0/24 to any out via tun0
ipfw add deny all from 10.100.105.0/24 to me via em0
ipfw add allow all from 10.100.105.0/24 to any
ipfw add deny all from any to any

ipfw add 6000 divert natd all from 192.168.7.40 to any via ppp\*
ipfw add divert natd all from 192.168.7.100 to any via ppp\*
ipfw add divert natd all from 192.168.7.65 to any via ppp\*
ipfw add allow all from any to any
---- second script ends here ---

some comments:
192.168.5.0/24 - my base network.
192.168.7.0/24 - my vpn network
10.100.105.0/24 - network of our friends. we can use some of the
services there, 192.168.5.77 - is the gateway between 192.168.5.0/24
and 10.100.105.0/24.

with second script (which is logically correct for the situation)
nothing works.

What should I do?
If you need some additional info  - just ask me.


-- 
With best regards,
        Gregory Edigarov
------------------------------------------------------------------------------
profi.kharkov.ua                                        Systems Administrator
------------------------------------------------------------------------------

More information about the freebsd-questions mailing list