IPFW: DMZ and LAN question

• Next message: ahall: "Re: gnatbox VPN through smoothwall?"
• Previous message: Simon Perry: "Re: Watchguard Firebox (Proxy Services)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Bengt Thuree" <XXbengtXX@AAzag.att.ne.jpBB>
Date: Mon, 23 Sep 2002 01:32:43 +0900

Hej,

I have just installed FreeBSD on a desktop with three NIC cards.
I have configured one of them to run PPPoE and for the other two cards
I will have a DMZ (web server) and my local LAN.

I am trying to configure my firewall for this, and I am having some
problems...
I was thinking to use the Check State/Keep state advance stateful rules.

I have managed more or less to get it to work...
But my question is how I configure it for the best result.

For instance FTP.
Here I want my LAN to be able to FTP to my DMZ, but not the other way
around.
Also both LAN as well as DMZ should be able to FTP to internet.
Do I need three distinct rules for this? (* two for two ports)

Can I have a general rule that states my local LAN can access everything to
DMZ?

The below rule does not seem to work.
ipfw add 00181 allow all from any to any via ${iifLAN} keep-state

So I end up having to do something like this.
ipfw add 00375 allow log tcp from any to any 21 out via ${oif} setup
keep-state
ipfw add 00376 allow log tcp from any to any 10000-65000 out via ${oif}
setup keep-state
ipfw add 00379 allow tcp from me to ${DMZ} 21 out via ${iifDMZ} setup
keep-state
ipfw add 00380 allow tcp from me to ${DMZ} 10000-65000 out via ${iifDMZ}
setup keep-state
ipfw add 00381 allow tcp from ${LAN} to ${DMZ} 21 out via ${iifDMZ} setup
keep-state
ipfw add 00382 allow tcp from ${LAN} to ${DMZ} 10000-65000 out via
${iifDMZ} setup keep-state
ipfw add 00383 allow tcp from ${LAN} to ${DMZ} 21 in via ${iifLAN} setup
keep-state
ipfw add 00384 allow tcp from ${LAN} to ${DMZ} 10000-65000 in via
${iifLAN} setup keep-state

My problem seems to be that if the OUT part is ok, then the firewall is
blocking the IN part.
In IPTABLES I could specify IN and OUT in the same rule, would this work in
IPFW or what is
recommended?

Thanks in advance

/Bengt

• Next message: ahall: "Re: gnatbox VPN through smoothwall?"
• Previous message: Simon Perry: "Re: Watchguard Firebox (Proxy Services)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Dynamic Rules with IPFW ... > ipfw add deny tcp from any to any established ... > ipfw add allow tcp from my-net to any setup keep-state ... > allow tcp from any to my-net 25,80,443 setup in via xl0 keep-state ... (FreeBSD-Security) Re: ipfw ... In one system, ipfw -d list does not shown the dynamic rules in this system, while the other shown all ipfw dynamic rules. ... 00600 allow ip from any to any setup keep-state ... 00700 allow tcp from any to any established keep-state ... (comp.unix.bsd.freebsd.misc) Re: natd port redirect ... Followed your instructions, but still no joy. ... setup keep-state ... (comp.unix.bsd.freebsd.misc) Re: ipfw logging ... Ipfw logging still not working. ... 00200 allow tcp from any to me dst-port 22,3128,10000 setup keep-state ... 00300 allow icmp from any to me icmptypes 8 keep-state ... (comp.unix.bsd.freebsd.misc) Re: help with she script ... > setup keep-state ... This is because in the other pattern when the rule number does not start ... The 's' is the substitute command, '/' is the operand separator, the ... (freebsd-questions)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint