[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Setting up my firewall
From:       Manuel Kasper <mk () neon1 ! net>
Date:       2002-12-28 15:00:32
[Download RAW message or body]

On 28.12.2002 14:39, "Sam Carleton" <sam@linux-info.net> wrote:

> The problem is that a nslookup connection from the server to
> the Internet,  fails.

Ugh, then there must be another problem... I can't see why nslookup should
fail with your original ruleset.

> If I am understanding you correctly, you are saying that the
> problem with what I had was the presents of:
> 
> block in log quick on ex1 all
> block out log quick on ex1
> 
> Correct?

These rules prevented any connection from Private -> Server, but they didn't
interfere with Server -> RoadRunner servers connections.

> The only correction I want to make in the policy you stated is
> that I want the Private -> Server to have the same ruls as
> External -> Server.

OK, let's see... I usually setup as many rules as possible with keep state,
so I only have to make rules for incoming packets (as seen from the
firewall's perspective) and have the state table take care of the
corresponding outbound packets. It's also much more secure that way (IMHO).

Try the following ruleset:

---
# allow localhost traffic
pass in quick on lo0
pass out quick on lo0

# allow everything from private to NOT server
pass in quick on ex0 from any to ! 172.16.0.2/32 keep state

# allow ftp, ssh, smtp, and http from ex0 to server
pass in quick on ex0 from any to 172.16.0.2/32 port = 21 keep state
pass in quick on ex0 from any to 172.16.0.2/32 port = 22 keep state
pass in quick on ex0 from any to 172.16.0.2/32 port = 25 keep state
pass in quick on ex0 from any to 172.16.0.2/32 port = 80 keep state

# Allow connections from server to RoadRunners Mail servers
pass in quick on ex1 proto tcp from 172.16.0.2/32 to 65.24.7.36/32 port = 25
flags S keep state
pass in quick on ex1 proto tcp from 172.16.0.2/32 to 65.24.7.37/32 port = 25
flags S keep state
pass in quick on ex1 proto tcp from 172.16.0.2/32 to 65.24.7.38/32 port = 25
flags S keep state

# Allow connections from server to RoadRunners DNS Server
pass in quick on ex1 proto udp from 172.16.0.2/32 to 65.24.0.167/32 port =
53 keep state
pass in quick on ex1 proto tcp from 172.16.0.2/32 to 65.24.0.167/32 port =
53 flags S keep state
pass in quick on ex1 proto udp from 172.16.0.2/32 to 65.24.0.169/32 port =
53 keep state
pass in quick on ex1 proto tcp from 172.16.0.2/32 to 65.24.0.169/32 port =
53 flags S keep state
pass in quick on ex1 proto udp from 172.16.0.2/32 to 65.24.0.171/32 port =
53 keep state
pass in quick on ex1 proto tcp from 172.16.0.2/32 to 65.24.0.171/32 port =
53 flags S keep state

# allow ftp, ssh, smtp, and http from external to server
pass in quick on iy0 from any to 172.16.0.2/32 port = 21 keep state
pass in quick on iy0 from any to 172.16.0.2/32 port = 22 keep state
pass in quick on iy0 from any to 172.16.0.2/32 port = 25 keep state
pass in quick on iy0 from any to 172.16.0.2/32 port = 80 keep state

# block everything else
block in log quick all
block out log quick all
---

Try this ruleset and tell me if it works. If it doesn't, we'll need some
more information on the configuration of the firewall (ifconfig).

Things left to do with this ruleset:
- the ruleset could be improved by using group/head rules.
- the classic passive-FTP-server-behind-firewall problem needs to be solved

I know that the rule with "NOT server" is a bit cumbersome, but I still
think it's better to only filter on inbound packets and use keep state.

What I'd love to see in ipfilter is some way to specify "all addresses
associated with interface x". That and something like 'me' in ipfw to
specify a packet destined for the local (firewall) host would be really
cool.

Greets,

Manuel

[prev in list] [next in list] [prev in thread] [next in thread]