On Wed, Nov 18, 1998 at 06:14:57AM -0600, Anthony Landreneau wrote: > Greetings, > Looking for a little help with ipfwadm. Got a good machine running 2.0, > two nics and the system is passing traffic wonderfully. Now I would like > to put in packet filtering. IPFW sounds as though it will fit the bill. Right. > The HOWTO regarding IPFW suggests a script, which I have written and is > below. The problem, when I execute the script nothing comes in, nothing > goes out, the perfect firewall. The bad news is I need some traffic to > pass. The network behind the firewall is a subnet of a class B network with > 255 addresses. If you have any insight on why I might be running into > trouble, or if you have suggestions, I would love to hear from you. > > #!/bin/sh > # Setup IP packet Accounting and Forwarding > # > # > # By Default DENY ALL services first > ipfwadm -F -p deny This sounds okay :) > # > # Flush all Commands > ipfwadm -F -f > ipfwadm -I -f > ipfwadm -O -f > # > # Allow email to NCTAMS01 > ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 111.229.13.13 Okay, time to explain :) -F: Forward firewall -a accept: Add rule to ACCEPT matching packages -b: Bidirectional Means that the reverse path is also allowed. This way your machine can answer to such a connection. Otherwise this would be pretty useless... -P tcp: Protocol TCP -S Source address 0.0.0.0/0 match every ip 1024:65535 match every port >=1024 (non-priviledged ports - why?) -D Destination address 111.229.13.13 matches this ip only This should work. But it allows non-email-traffic also... I would suggest the following: ipfwadm -F -a accept -b -P tcp -S 0/0 -D 111.229.13.13 smtp BTW: You can use symbolic names which makes this a lot more readable. Example: ipfwadm -F -a accept -b -P tcp -S 0/0 -D mailhost smtp > # Allow email to NS1 Relay host > ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 111.229.13.2 accordingly > # Allow email to outside mail severs from NCTAMS01 > ipfwadm -F -a accept -b -P tcp -S 111.229.13.13 25 -D 0.0.0.0/0 1024:65535 This will not work because it allows only destination ports from 1024-65535. SMTP uses service 25. ipfwadm -F -a accept -b -P tcp -S nctams01 -D 0/0 smtp > # Allow email to ouside mail servers from NS1 > ipfwadm -F -a accept -b -P tcp -S 111.229.13.2 25 -D 0.0.0.0/0 1024:65535 Analougus. > # Allow DNS traffic to NS1 > ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 111.229.13.2 You mixed up source an destination port. ipfwadm -F -a accept -b -P udp -S 0/0 -D ns1 domain > ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 53 -D 111.229.13.2 ipfwadm -F -a accept -b -P tcp -S 0/0 -D ns1 domain (Who will use DNS over TCP??) > ipfwadm -F -a accept -b -P tcp -S 111.229.232.0/24 82 -D 111.229.13.2 What service is this? > # Allow Web connections to outside Web Servers > ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 80 -D 0.0.0.0/0 1024:65535 ipfwadm -F -a accept -b -P tcp -S localnet -D 0/0 www > # Allow FTP connection to outside Servers > ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 20 -D 0.0.0.0/0 1024:65535 > ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 21 -D 0.0.0.0/0 1024:65535 ipfwadm -F -a accept -b -P tcp -S localnet -D 0/0 ftp ipfwadm -F -a accept -b -P tcp -S localnet -D 0/0 ftp-data > # Allow Telnet connections to outside Servers > ipfwadm -F -a accept -b -P tcp -S 111.229.13.0/24 23 -D 0.0.0.0/0 1024:65535 ipfwadm -F -a accept -b -P tcp -S localnet -D 0/0 telnet > # Allow NTP time to NS1 > ipfwadm -F -a accept -b -P tcp -S 111.229.13.2 123 -D 0.0.0.0/0 1024:65535 Not sure here! I do not know ntp... Your setup will not deny all pakets but I will not forward the pakets you want it to. cu Torsten
Attachment:
pgpidKZVM3OyE.pgp
Description: PGP signature