goshanecr
March 13th, 2010, 22:47
Hi friends!
Today i'm decide to organize my ipfw rules. And that what i do:
ipfw show
50-55 rules for connect to provider pptp server
00050 834 27304 allow ip from me to 10.0.0.1 via nfe0 out
00055 11729 1024957 allow ip from 10.0.0.1 to me via nfe0 in
200-370 - that rules denies connect to unneeded ports and allows connect to needed.
00100 0 0 check-state
00200 4 240 deny icmp from any to any in icmptypes 5,8,9,13,14,15,16,17
00300 11691 588087 deny tcp from any to me not dst-port 25,80,22222 in via ng0
00305 0 0 allow tcp from any to me dst-port 25,80,22222 in via ng0
00310 1 49 deny udp from any to me not dst-port 31194 in via ng0
00315 4 1639 allow udp from any to me dst-port 31194 in via ng0
00320 0 0 deny tcp from any to me not dst-port 53,80,22222 in via rl0
00325 0 0 allow tcp from any to me dst-port 53,80,22000 in via rl0
00330 0 0 deny udp from any to me not dst-port 53,123 in via rl0
00335 0 0 allow udp from any to me dst-port 53,123 in via rl0
00340 0 0 deny tcp from any to me not dst-port 53,80,22222 in via wlan0
00345 0 0 allow tcp from any to me dst-port 53,80,22222 in via wlan0
00350 0 0 deny udp from any to me not dst-port 53,123,31194 in via wlan0
00355 0 0 allow udp from any to me dst-port 53,123,31194 in via wlan0
00360 0 0 deny tcp from any to me not dst-port 53,80,22222 in via tun0
00370 0 0 deny udp from any to me not dst-port 123 in via tun0
In table 3 i have 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/24 and it must not come from WAN to me
00400 0 0 deny ip from table(3) to me in via ng0
I can do anything
00500 10 810 allow ip from me to any keep-state
Clients described in table 1 (192.168.1.0/24,192.168.0.0/24) forward to transparent proxy
00600 0 0 fwd 127.0.0.1,3128 ip from table(1) to not me dst-port 80,8080 via ng0 out
unsuccessful rule for nat to clients from table 2
00650 0 0 divert 8668 ip from table(2) to not me via ng0 out
All other deny and log
50000 139 13004 deny log logamount 100 ip from any to any
Please help me correct setup rules for my lan clients can go to internet with nat.
Today i'm decide to organize my ipfw rules. And that what i do:
ipfw show
50-55 rules for connect to provider pptp server
00050 834 27304 allow ip from me to 10.0.0.1 via nfe0 out
00055 11729 1024957 allow ip from 10.0.0.1 to me via nfe0 in
200-370 - that rules denies connect to unneeded ports and allows connect to needed.
00100 0 0 check-state
00200 4 240 deny icmp from any to any in icmptypes 5,8,9,13,14,15,16,17
00300 11691 588087 deny tcp from any to me not dst-port 25,80,22222 in via ng0
00305 0 0 allow tcp from any to me dst-port 25,80,22222 in via ng0
00310 1 49 deny udp from any to me not dst-port 31194 in via ng0
00315 4 1639 allow udp from any to me dst-port 31194 in via ng0
00320 0 0 deny tcp from any to me not dst-port 53,80,22222 in via rl0
00325 0 0 allow tcp from any to me dst-port 53,80,22000 in via rl0
00330 0 0 deny udp from any to me not dst-port 53,123 in via rl0
00335 0 0 allow udp from any to me dst-port 53,123 in via rl0
00340 0 0 deny tcp from any to me not dst-port 53,80,22222 in via wlan0
00345 0 0 allow tcp from any to me dst-port 53,80,22222 in via wlan0
00350 0 0 deny udp from any to me not dst-port 53,123,31194 in via wlan0
00355 0 0 allow udp from any to me dst-port 53,123,31194 in via wlan0
00360 0 0 deny tcp from any to me not dst-port 53,80,22222 in via tun0
00370 0 0 deny udp from any to me not dst-port 123 in via tun0
In table 3 i have 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/24 and it must not come from WAN to me
00400 0 0 deny ip from table(3) to me in via ng0
I can do anything
00500 10 810 allow ip from me to any keep-state
Clients described in table 1 (192.168.1.0/24,192.168.0.0/24) forward to transparent proxy
00600 0 0 fwd 127.0.0.1,3128 ip from table(1) to not me dst-port 80,8080 via ng0 out
unsuccessful rule for nat to clients from table 2
00650 0 0 divert 8668 ip from table(2) to not me via ng0 out
All other deny and log
50000 139 13004 deny log logamount 100 ip from any to any
Please help me correct setup rules for my lan clients can go to internet with nat.