2 questions about ipfw
From: Ilya (mail@krel.org)
Date: 10/02/01
- Next message: Vladislav Timofeev: "Need an advice..."
- Previous message: Crist J. Clark: "Re: ipfw logging complete packets"
- In reply to: Crist J. Clark: "Re: ipfw logging complete packets"
- Next in thread: Crist J. Clark: "Re: 2 questions about ipfw"
- Reply: Crist J. Clark: "Re: 2 questions about ipfw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ilya" <mail@krel.org> To: <security@FreeBSD.ORG> Date: Mon, 1 Oct 2001 20:01:21 -0400
I have a freebsd natd box with two interfaces (external ed0 and internal
fxp0). I found a dynamic ipfw example by Peter Brezny, and it seems to work
pretty good, except that nothing gets to rule number 2700. But if i move
that rule before divert the whole lan looses connection to internet. And any
place after that gets 0 hits. Any suggestions on how to make this ruleset
more efficient/secure?
thank you
PS thank you Peter for providing your ruleset to public
ipfw show|more
00100 7466 518126 allow ip from any to any via lo0
00200 0 0 deny log logamount 200 ip from any to 127.0.0.0/8
00300 0 0 deny log logamount 200 ip from 192.168.0.0/24 to any
in recv ed0
00400 0 0 deny log logamount 200 ip from not 192.168.0.0/24 to
any in recv fxp0
00500 0 0 deny log logamount 200 ip from 192.168.0.0/16 to any
in recv ed0
00600 0 0 deny log logamount 200 ip from 172.16.0.0/12 to any
in recv ed0
00700 0 0 deny log logamount 200 ip from 10.0.0.0/8 to any in
recv ed0
00800 0 0 deny log logamount 200 ip from any to 192.168.0.0/16
in recv ed0
00900 0 0 deny log logamount 200 ip from any to 172.16.0.0/12
in recv ed0
01000 0 0 deny log logamount 200 ip from any to 10.0.0.0/8 in
recv ed0
01100 0 0 deny log logamount 200 ip from 0.0.0.0/8 to any in
recv ed0
01200 0 0 deny log logamount 200 ip from 169.254.0.0/16 to any
in recv ed0
01300 0 0 deny log logamount 200 ip from 192.0.2.0/24 to any in
recv ed0
01400 0 0 deny log logamount 200 ip from 224.0.0.0/4 to any in
recv ed0
01500 0 0 deny log logamount 200 ip from 240.0.0.0/4 to any in
recv ed0
01600 0 0 deny log logamount 200 ip from any to 0.0.0.0/8 in
recv ed0
01700 0 0 deny log logamount 200 ip from any to 169.254.0.0/16
in recv ed0
01800 0 0 deny log logamount 200 ip from any to 192.0.2.0/24 in
recv ed0
01900 0 0 deny log logamount 200 ip from any to 224.0.0.0/4 in
recv ed0
02000 0 0 deny log logamount 200 ip from any to 240.0.0.0/4 in
recv ed0
02100 427386 189325029 divert 8668 ip from any to any via ed0
02200 390818 343974531 allow tcp from any to any established
02300 34 1808 allow tcp from any to $myexternalip 22,80,443,25
setup
02400 3438 192784 allow log logamount 200 icmp from any to any icmptype
3,4,11,12
02500 1 58 allow udp from any 53 to $myexternalip 53
02600 55 3365 allow udp from any 1024-65535 to $myexternalip
02700 0 0 check-state
02800 177231 9731222 allow ip from $myexternalip to any keep-state out
xmit ed0
02900 290474 27027605 allow ip from 192.168.0.0/24 to any keep-state via
fxp0
65534 56 3788 deny log logamount 200 ip from any to any in recv ed0
65535 56 18207 allow ip from any to any
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Vladislav Timofeev: "Need an advice..."
- Previous message: Crist J. Clark: "Re: ipfw logging complete packets"
- In reply to: Crist J. Clark: "Re: ipfw logging complete packets"
- Next in thread: Crist J. Clark: "Re: 2 questions about ipfw"
- Reply: Crist J. Clark: "Re: 2 questions about ipfw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
