[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: I seem to have to use "keep state" almost everywhere ...
From:       Yary Hluchan <yary () apicom ! com>
Date:       2001-04-27 0:05:51
[Download RAW message or body]

It would help if you posted your ruleset, so we could point out a particular
line if there is one or two in error.

That said, I have a similar setup.  The trick is to make sure you pass
all in both directions on the internal card, and default block on your
external card.

Here's my ruleset- note that de0 is my internal interface, and the
only "keep state" on de0 is for a particular address (x.196) that
cannot connect to any local hosts.  My local, home net uses a
10.0.0.0/8 network, the gateway/firewall/NAT machine is 10.0.0.1.

 IP filtering rules.  See the ipf(5) man page for more
# information on the format of this file, and /usr/share/ipf
# for example configuration files.

# Block the nasty short packets
block in log quick all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr

# ne3 = external interface, to ISP
# de0 = internal interface, to home net

# Default block in from the outside, let in from the inside
block in on ne3 from any to any head 100
block return-rst in proto tcp from any to any group 100
block return-icmp-as-dest(port-unr) in proto udp from any to any group 100
pass in on de0 from any to any

# prevent spoofing & smurf
block in quick from 10.0.0.0/8 to any group 100
block in quick from x.x.x.0/32 to any group 100
block in quick from x.x.x.195/32 to any group 100
block in quick from x.x.x.196/32 to any group 100
block in quick from x.x.x.255/32 to any group 100

# connections to the outside from us keep state
pass out on ne3 proto tcp/udp from x.x.x.195/32 to any keep state keep frags
pass out on ne3 proto icmp from x.x.x.195/32 to any keep state keep frags
pass out on ne3 proto tcp/udp from 10.0.0.0/8 to any keep state keep frags
pass out on ne3 proto icmp from 10.0.0.0/8 to any keep state keep frags

# Let the outside world speak ssh & IPSEC to us
pass in quick proto tcp from any to x.x.x.195/32 port = ssh flags S keep state
 group 100
pass in proto ipip from any to any group 100

# Let .195 respond to ping
pass in proto icmp from any to x.x.x.195 icmp-type echo group 100
pass in proto icmp from any to x.x.x.195 icmp-type echorep group 100

# Block windows networking
block in quick on de0 proto udp from any to !10.0.0.1/32 port 136 >< 139
block out quick on ne3 from any to any port 136 >< 139

# But hosts on our side of the bridge can initiate connections
pass in quick on de0 proto tcp/udp from x.x.x.196/32 to any keep state keep frags
pass in quick on de0 proto icmp from x.x.x.196/32 to any keep state keep frags

##### And now ipnat.rules
map ne3 10.0.0.0/8 -> 66.92.1.195/32 proxy port ftp ftp/tcp
map ne3 10.0.0.0/8 -> 66.92.1.195/32 portmap tcp/udp 10000:20000
map ne3 10.0.0.0/8 -> 66.92.1.195/32


-y

~~~~~
The Moon is Waxing Crescent (11% of Full)

[prev in list] [next in list] [prev in thread] [next in thread]