Please check my IPFW ruleset

Thu, 01 Nov 2007 21:37:45 -0800

I'm making some ipfw rules, and I would appreciate if someone could check these for me.
My intention is to create a replacement for a hardware router, which basically works by allowing all outbound traffic, blocking all unauthorized/unrequested inbound traffic, and has a setting (the so called DMZ) to redirect all the unauthorized/unrequested packets to a local computer. Plus I want to add something like remote telnet/ssh capabilities to override the DMZ. 

::::::::::::::::::::| ipfw.rules |::::::::::::::::::::
#!/bin/sh

dns="195.228.240.249,195.228.242.180"
lan="192.168.123.0/24"
ext="tun0"
int="rl0"

ipfw="ipfw -q"
add="$ipfw add"
allow="$add allow"
block="$add deny"
nat="$add divert natd"
check="$add check-state"
pipe="$add pipe"

fa="from any"
ta="to any"
fata="$fa $ta"
reserved="192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3"

########################################

$ipfw -f flush

$allow all $fata via lo0
$allow all $fata via $int

##### INBOUND #####

$block all $fa to $reserved in via $ext # ISP fuckup?

$nat all $fata in via $ext
$check

$block all $fata frag in via $ext
$block tcp $fata established in via $ext
$block all from $reserved in via $ext

# :: DEFINE SOME INBOUND SERVICES HERE ::
#$allow tcp $fa to me 80 in via $ext setup limit src-addr 4
#$allow tcp $fa to me 22 in via $ext setup limit src-addr 4
#$allow tcp $fa to me 23 in via $ext setup limit src-addr 4

$block all $fata in via $ext

##### OUTBOUND #####

# :: DEFINE SOME RESTRICTIONS HERE ? ::

$nat tcp $fata out via $ext setup keep-state
$nat all $fata out via $ext keep-state
$allow all $fata out via $ext

$block $fata

::::::::::::::::::::| eof ipfw.rules |::::::::::::::::::::

OK, questions...

# ISP fuckup? - does it make sense to defend against my ISP hacking me?

What does "divert natd" actually do? Does it only change the IP header?

Can I move the three lines
    $block all $fata frag in via $ext
    $block tcp $fata established in via $ext
    $block all from $reserved in via $ext
to ahead of
    $nat all $fata in via $ext ?

I'm curious about this one:
    $nat tcp $fata out via $ext setup keep-state
    $nat all $fata out via $ext keep-state
    $allow all $fata out via $ext

For an outbound packet, rules should be keep-state, divert, allow, in 
this order, as far as I know. What about these lines?



Uhm, ed0 is my network card doing PPPoE. How do I allow it to do PPPoE 
traffic only?


Did I miss anything?


Some other IPFW questions:
deny ip == deny all?

Why do I have to write "from any to any" all the time, when it just 
means "independently of source and destination"? Why can't I write just 
"drop all"?



Thank you very very much in advance :)
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to