Dynamic firewall rules [Archive]

v0idnull

December 3rd, 2008, 20:46

keramida@

December 4th, 2008, 00:48

The situation:
Limit certain services to my IP only. Except my IP is my ISP IP and not gauranteed. However I have dyndns.

My conceptual solution:
If service is accessed, run script to find out IP of my dyndns host, and allow that IP only, blocking all other IPs.

Too complex. I would go for something that filters connections by the network interface they arrive on, or I would use the special 'me' keyword of ipfw, i.e.:

# Allow packets for which a state has been built.
${fwcmd} add check-state

# For services permitted below.
${fwcmd} add pass tcp from me to any established

# Allow any connection out, adding state for each.
${fwcmd} add pass tcp from me to any setup keep-state
${fwcmd} add pass udp from me to any keep-state
${fwcmd} add pass icmp from me to any keep-state

# allow everything from localhost->localhost
ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0

# allow everything from internal network machines
ipfw add pass all from 192.168.1.0/24 to 192.168.1.0/24 via re0

# ================================================== ================

# allow ssh connections from everyone else
ipfw add pass tcp from any to me 22 via re0 setup keep-state

# allow connections to the local web server
ipfw add pass tcp from any to me 80 via re0 setup keep-state

# ================================================== ================

# block everything else
ipfw add deny ip from any to any

Note that there is no explicit IP address in the re0 rules that allow SSH (port 22) and HTTP (port 80) connections.