IPFW Rules and Games
Jack Barnett
jackbarnett at gmail.com
Fri Nov 2 03:25:08 PDT 2007
Lots of people play games here and basically a pain to keep trying to
get these stupid things to work with individual rules for each.
I'm running FreeBSD 6.x with IPFW/natd
I get a dynamic IP from my ISP and the internal nic is 192.168.17.1
Everything inside the network is 192.168.17.xxx
The setup is this:
192.168.17.x <--> 192.168.17.1 <[FreeBSD]> Dynamic IP <--> {Random Game
Server on the Internets}
[Internet Network(GAME)] <--> [FreeBSD] <--> {Internets}
There are a bunch of games that send out TCP/UDP packets (and who knows
what else) on different ports to different destinations and then
receive data back on "random" ports. Basically, anything on any
protocol from the internal network should be able to establish and setup
connections out AND be allowed to receive data back from whomever they
connected out to; but "random" hosts trying to connect in should be blocked.
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Here is my full config:
# simple
[Ss][Ii][Mm][Pp][Ll][Ee])
############
# This is a prototype setup for a simple firewall. Configure this
# machine as a DNS and NTP server, and point all the machines
# on the inside at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="xl0"
onet=`ifconfig xl0 | grep "inet " | awk '{print $6}'`
omask="0xfffffe00"
oip=`ifconfig xl0 | grep "inet " | awk '{print $2}'`
# set these to your inside interface network and netmask and ip
iif="dc1"
inet="192.168.17.0"
imask="0xffffff00"
iip="192.168.17.1"
setup_loopback
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here
deliberately
# so that it does not interfere with the surrounding
address-checking
# rules. If for example one of your internal LAN machines had
its IP
# address set to 192.0.2.1 then an incoming packet for it after
being
# translated by natd(8) would match the `deny' rule above.
Similarly
# an outgoing packet originated from it before being translated
would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via
${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow internal traffic
${fwcmd} add allow all from any to any via ${iif}
# Allow all local traffic
${fwcmd} add allow all from ${inet}:${imask} to ${inet}:${imask}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
#${fwcmd} add pass tcp from any to ${oip} 25 setup
#${fwcmd} add pass tcp from any to ${iip} 25 setup
${fwcmd} add pass tcp from any to any 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${iip} 53 setup
${fwcmd} add pass udp from any to ${iip} 53
${fwcmd} add pass udp from ${iip} 53 to any
#${fwcmd} add pass tcp from {$inet}:{$imask} to ${oip} 53 setup
#${fwcmd} add pass udp from {$inet}:{$imask} to ${oip} 53
#${fwcmd} add pass udp from ${oip} 53 to {$inet}:{$imask}
# SMB - Samba
#${fwcmd} add pass tcp from any to ${iip} 137
#${fwcmd} add pass udp from any to ${iip} 137
#${fwcmd} add pass tcp from any to ${iip} 138
#${fwcmd} add pass udp from any to ${iip} 138
#${fwcmd} add pass udp from any to ${iip} 791
# Allow access to our WWW
#${fwcmd} add pass tcp from any to ${oip} 80 setup
${fwcmd} add pass tcp from any to any 80 setup
${fwcmd} add pass tcp from any to ${iip} 888 setup
# Allow access to our SSH
#${fwcmd} add pass tcp from any to ${oip} 22 setup
${fwcmd} add pass tcp from any to any 22 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
#${fwcmd} add pass udp from ${oip} to any 53 keep-state
${fwcmd} add pass udp from any to any 53 keep-state
# Allow NTP queries out in the world
#${fwcmd} add pass udp from ${oip} to any 123 keep-state
${fwcmd} add pass udp from any to any 123 keep-state
# NWN/NWN2 Client
#http://nwn2forums.bioware.com/forums/viewtopic.html?topic=507894&forum=116&sp=30
#http://nwn.bioware.com/forums/viewtopic.html?topic=387975&forum=56&sp=135
#add 123 allow udp from any to 1.2.3.4
5120-5300,6500,6667,27900,28900
#UDP 5120 - Outbound and Inbound packets
#UDP 2485 - Outbound and Inbound packets
#TCP 2486 - Outbound and Inbound packets
#TCP 2487 - Outbound and Inbound packets
#TCP 2488 - Outbound and Inbound packets
#UDP 2489 - Outbound and Inbound packets
#TCP 28910 - Server port
#UDP 5121 - Server port
#UDP 5122 - Server port
#UDP 27900 - Server port
#UDP 50643 - Server port
#UDP 6121 - Server port
# not working.
#add allow all from any to any
2485-2490,5210-5230,6121-6500,27900,27900-28910,50643
#add pass all from any to any
2485-2490,5210-5230,6121-6500,27900,27900-28910,50643
#add allow all from any to any 5120-5300,6500,6667,27900,28900
#allow outbound setup connections
# not working.
#${fwcmd} add allow tcp from any to any out via {$iip} setup
#allow in and outbound established connections
#${fwcmd} add allow tcp from any to any out via {$iip} established
#${fwcmd} add allow tcp from any to any in via {$iip} established
${fwcmd} add pass all from any to any
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
More information about the freebsd-questions
mailing list