[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: ruleset question
From: zhamrock <zhamrock () thepentagon ! com>
Date: 2001-06-27 8:05:15
[Download RAW message or body]
Hi,
Here is the scenario. The router is running freebsd 4.3 with ip
filter 3.4.16
The router has 3 interface:
xl0 is connected to our external network 20.20.20.0/26
xl1 is connected to our "DMZ" network 20.20.20.64/26
xl2 is connected to our protected network 20.20.20.128/25
on router:
allow ping to router and all servers on dmz
allow traceroute to router
allow dns server to router
block all the rest traffic
on DMZ network:
allow web server
allow ftp server
allow smtp server
allow pop3 server
block all the rest traffic
on protected network:
block irc,icq
allow all tcp,udp,icmp traffic
pass in quick on xl0 proto tcp from any to 20.20.20.1/32 port = 53 flags S
keep state pass in quick on xl0 proto udp from any to 20.20.20.1/32 port =
53 keep state block in log on xl0 proto tcp from any to any port = 6667
block in log on xl0 proto tcp from any to any port = 4000
pass out on xl0 all
pass in quick on xl1 proto tcp from any to 20.20.20.64/26 port = 80 flags S
keep state pass in quick on xl1 proto tcp from any to 20.20.20.64/26 port =
21 flags S keep state pass in quick on xl1 proto tcp from any to
20.20.20.64/26 port = 25 flags S keep state pass in quick on xl1 proto tcp
from any to 20.20.20.65/32 port = 110 flags S keep state
block out on xl1 all
pass out quick on xl1 proto tcp/udp from 20.20.20.64/26 to any keep state
block out on xl2 all pass in quick on xl2 proto tcp/udp from 20.20.20.128/25
to any keep state pass in quick on xl2 proto icmp from 20.20.20.128/25 to
any keep state
This ruleset is not working. Can someone modify this to fit my needs?
Million thanks in advance.
Thanks'
zham
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>ruleset question</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Hi,</FONT>
<BR> <FONT SIZE=2>Here is the scenario. The \
router is running freebsd 4.3 with ip filter 3.4.16</FONT> </P>
<BR>
<P><FONT SIZE=2>The router has 3 interface:</FONT>
</P>
<P><FONT SIZE=2>xl0 is connected to our external network 20.20.20.0/26</FONT>
<BR><FONT SIZE=2>xl1 is connected to our "DMZ" network \
20.20.20.64/26</FONT> <BR><FONT SIZE=2>xl2 is connected to our protected network \
20.20.20.128/25</FONT> </P>
<P><FONT SIZE=2>on router:</FONT>
</P>
<P><FONT SIZE=2>allow ping to router and all servers on dmz</FONT>
<BR><FONT SIZE=2>allow traceroute to router</FONT>
<BR><FONT SIZE=2>allow dns server to router</FONT>
<BR><FONT SIZE=2>block all the rest traffic</FONT>
</P>
<P><FONT SIZE=2>on DMZ network:</FONT>
</P>
<P><FONT SIZE=2>allow web server </FONT>
<BR><FONT SIZE=2>allow ftp server </FONT>
<BR><FONT SIZE=2>allow smtp server</FONT>
<BR><FONT SIZE=2>allow pop3 server</FONT>
<BR><FONT SIZE=2>block all the rest traffic</FONT>
</P>
<P><FONT SIZE=2>on protected network:</FONT>
</P>
<P><FONT SIZE=2>block irc,icq</FONT>
<BR><FONT SIZE=2>allow all tcp,udp,icmp traffic</FONT>
</P>
<BR>
<P><FONT SIZE=2>pass in quick on xl0 proto tcp from any to 20.20.20.1/32 port = 53 \
flags S keep state pass in quick on xl0 proto udp from any to 20.20.20.1/32 port = 53 \
keep state block in log on xl0 proto tcp from any to any port = 6667 block in log on \
xl0 proto tcp from any to any port = 4000</FONT></P>
<P><FONT SIZE=2>pass out on xl0 all</FONT>
</P>
<P><FONT SIZE=2>pass in quick on xl1 proto tcp from any to 20.20.20.64/26 port = 80 \
flags S keep state pass in quick on xl1 proto tcp from any to 20.20.20.64/26 port = \
21 flags S keep state pass in quick on xl1 proto tcp from any to 20.20.20.64/26 port \
= 25 flags S keep state pass in quick on xl1 proto tcp from any to 20.20.20.65/32 \
port = 110 flags S keep state</FONT></P>
<P><FONT SIZE=2>block out on xl1 all</FONT>
<BR><FONT SIZE=2>pass out quick on xl1 proto tcp/udp from 20.20.20.64/26 to any keep \
state block out on xl2 all pass in quick on xl2 proto tcp/udp from 20.20.20.128/25 to \
any keep state pass in quick on xl2 proto icmp from 20.20.20.128/25 to any keep \
state</FONT></P> <BR>
<P><FONT SIZE=2>This ruleset is not working. Can someone modify this to fit my needs? \
</FONT> </P>
<P><FONT SIZE=2>Million thanks in advance.</FONT>
</P>
<P><FONT SIZE=2>Thanks'</FONT>
</P>
<P><FONT SIZE=2>zham</FONT>
</P>
<BR>
<BR>
<BR>
</BODY>
</HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic