[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: I seem to have to use "keep state" almost everywhere ...
From: Yary Hluchan <yary () apicom ! com>
Date: 2001-04-27 0:05:51
[Download RAW message or body]
It would help if you posted your ruleset, so we could point out a particular
line if there is one or two in error.
That said, I have a similar setup. The trick is to make sure you pass
all in both directions on the internal card, and default block on your
external card.
Here's my ruleset- note that de0 is my internal interface, and the
only "keep state" on de0 is for a particular address (x.196) that
cannot connect to any local hosts. My local, home net uses a
10.0.0.0/8 network, the gateway/firewall/NAT machine is 10.0.0.1.
IP filtering rules. See the ipf(5) man page for more
# information on the format of this file, and /usr/share/ipf
# for example configuration files.
# Block the nasty short packets
block in log quick all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr
# ne3 = external interface, to ISP
# de0 = internal interface, to home net
# Default block in from the outside, let in from the inside
block in on ne3 from any to any head 100
block return-rst in proto tcp from any to any group 100
block return-icmp-as-dest(port-unr) in proto udp from any to any group 100
pass in on de0 from any to any
# prevent spoofing & smurf
block in quick from 10.0.0.0/8 to any group 100
block in quick from x.x.x.0/32 to any group 100
block in quick from x.x.x.195/32 to any group 100
block in quick from x.x.x.196/32 to any group 100
block in quick from x.x.x.255/32 to any group 100
# connections to the outside from us keep state
pass out on ne3 proto tcp/udp from x.x.x.195/32 to any keep state keep frags
pass out on ne3 proto icmp from x.x.x.195/32 to any keep state keep frags
pass out on ne3 proto tcp/udp from 10.0.0.0/8 to any keep state keep frags
pass out on ne3 proto icmp from 10.0.0.0/8 to any keep state keep frags
# Let the outside world speak ssh & IPSEC to us
pass in quick proto tcp from any to x.x.x.195/32 port = ssh flags S keep state
group 100
pass in proto ipip from any to any group 100
# Let .195 respond to ping
pass in proto icmp from any to x.x.x.195 icmp-type echo group 100
pass in proto icmp from any to x.x.x.195 icmp-type echorep group 100
# Block windows networking
block in quick on de0 proto udp from any to !10.0.0.1/32 port 136 >< 139
block out quick on ne3 from any to any port 136 >< 139
# But hosts on our side of the bridge can initiate connections
pass in quick on de0 proto tcp/udp from x.x.x.196/32 to any keep state keep frags
pass in quick on de0 proto icmp from x.x.x.196/32 to any keep state keep frags
##### And now ipnat.rules
map ne3 10.0.0.0/8 -> 66.92.1.195/32 proxy port ftp ftp/tcp
map ne3 10.0.0.0/8 -> 66.92.1.195/32 portmap tcp/udp 10000:20000
map ne3 10.0.0.0/8 -> 66.92.1.195/32
-y
~~~~~
The Moon is Waxing Crescent (11% of Full)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic