Problem med regler i ipfw, FreeBSD
PROBLEM LÖST! SE LÖSNING NEDAN
Hej!
Sitter och bråkar lite med min brandvägg, får inte till reglerna verkar det som.
Kör FreeBSD på en Ultra 5:a. (Sparc64).
Har kompilerat in följande i kärnan:
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
Från /etc/ipfw.rules:
IPF="ipfw -q add"
ipfw -q -f flush
#nat
$IPF 10 divert natd all from any to any
#loopback
$IPF 15 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ssh (2222)
# http (80), dns (53)
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 220 allow tcp from any to any 2222 in
# deny and log everything
$IPF 500 deny log all from any to any
Med dessa regler blir allt blockat. Inklusive det jag har öppnat. Men om jag lägger in en "allow all" först, så funkar det (fast då blir allt öppet). NAT:en funkar dock oavsett.
Testade även med tvärtom, att ha "default to deny" i kärnan och då är det likadant. Jag måste ha en "allow all" för att det ska funka.
Har saxat det mesta från en guide jag hittat, och anpassat reglerna lite. Är det något kolossalt jag har missat? Blir inte helt klok på detta.
Tacksam för svar!
LÖSNING:
Fick eminent hjälp i kanalen #freebsd.se på efnet. Testade med ett annat exempel jag hittade och nu funkar alla mina regler och NAT. Mina regler ut så här:
# Set this to your ip address.
ip="x.x.x.x"
fwcmd="ipfw"
ipfw -q -f flush
#NAT
${fwcmd} add divert natd all from any to any
# Allow anything outbound from this address.
${fwcmd} add allow all from ${ip} to any out
# Deny anything outbound from other addresses.
# Allow TCP through if setup succeeded.
${fwcmd} add allow tcp from any to any established
# Allow IP fragments to pass through.
${fwcmd} add allow all from any to any frag
# Allow all IPv6 packets through - they are handled by the separate
# ipv6 firewall rules in rc.firewall6.
${fwcmd} add allow ipv6 from any to any
# Allow inbound ftp, ssh, email, tcp-dns, http, https, imap, imaps,
# pop3, pop3s.
${fwcmd} add allow tcp from any to ${ip} 2222 setup
${fwcmd} add allow tcp from any to ${ip} 53 setup
${fwcmd} add allow tcp from any to 192.168.1.3 80 setup
# Deny some chatty UDP broadcast protocols without logging.
${fwcmd} add deny udp from any 137 to any
${fwcmd} add deny udp from any to any 137
${fwcmd} add deny udp from any 138 to any
${fwcmd} add deny udp from any 513 to any
${fwcmd} add deny udp from any 525 to any
# Allow inbound DNS and NTP replies. This is somewhat of a hole,
# since we're looking at the incoming port number, which can be
# faked, but that's just the way DNS and NTP work.
${fwcmd} add allow udp from any 53 to ${ip}
${fwcmd} add allow udp from any 123 to ${ip}
# Allow inbound DNS queries.
${fwcmd} add allow udp from any to ${ip} 53
# Allow inbound NTP queries.
${fwcmd} add allow udp from any to ${ip} 123
# Allow traceroute to function, but not to get in.
${fwcmd} add unreach port udp from any to ${ip} 33435-33524
# Allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
${fwcmd} add allow icmp from any to any icmptypes 0,3,4,8,11
# Everything else is denied and logged.
${fwcmd} add deny log all from any to any
