Hi,
imagine a router with a lot of local networks on separate interfaces (or maybe VLANs) and one WAN interface (connected to internet). Now what I want is to explicity deny traffic between local networks and allow forward only to internet. Something like these iptables rules:
I don't know how to achieve this with ipfw. I have try this rules, but it doesn't working:
I can do this by implicity block forward from one lan to another lan, but in the case of large number of local networks it is very impractical:
Thank you for any advice.
imagine a router with a lot of local networks on separate interfaces (or maybe VLANs) and one WAN interface (connected to internet). Now what I want is to explicity deny traffic between local networks and allow forward only to internet. Something like these iptables rules:
Code:
# set default policy do DROP
iptables -P FORWARD DROP
# allow from LAN1 to Internet
iptables -A FORWARD -i $lan1_if -s $lan1_net -o $wan_if -j ACCEPT
iptables -A FORWARD -i $wan_if -o $lan1_if -d $lan1_net -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow from LAN2 to Internet
iptables -A FORWARD -i $lan2_if -s $lan2_net -o $wan -j ACCEPT
iptables -A FORWARD -i $wan_if -o $lan2_if -d $lan2_net -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow from LAN3 to Internet
iptables -A FORWARD -i $lan3_if -s $lan3_net -o $wan -j ACCEPT
iptables -A FORWARD -i $wan_if -o $lan3_if -d $lan3_net -m state --state ESTABLISHED,RELATED -j ACCEPT
...
I don't know how to achieve this with ipfw. I have try this rules, but it doesn't working:
Code:
sysctl net.inet.ip.fw.default_to_accept=0
ipfw add check-state :FORWARD
ipfw add deny all from any to any established
ipfw add pass all from ${lan1_net} to any in recv ${lan1_if} xmit ${wan_if} keep-state :FORWARD # not working
ipfw add pass all from ${lan1_net} to any out recv ${lan1_if} xmit ${wan_if} keep-state :FORWARD # not working
ipfw add pass all from ${lan1_net} to any recv ${lan1_if} xmit ${wan_if} keep-state :FORWARD # not working
ipfw add pass all from ${lan1_net} to any via ${wan_if} keep-state :FORWARD # not working
...
I can do this by implicity block forward from one lan to another lan, but in the case of large number of local networks it is very impractical:
Code:
# LAN1
ipfw add deny all from ${lan1_net} to ${lan2_net}
ipfw add deny all from ${lan1_net} to ${lan3_net}
...
ipfw add deny all from ${lan1_net} to ${lanN_net}
ipfw add allow all from ${lan1_net} to any
# LAN2
ipfw add deny all from ${lan2_net} to ${lan1_net}
ipfw add deny all from ${lan2_net} to ${lan3_net}
...
ipfw add deny all from ${lan2_net} to ${lanN_net}
ipfw add allow all from ${lan2_net} to any
# LAN3
ipfw add deny all from ${lan3_net} to ${lan1_net}
ipfw add deny all from ${lan3_net} to ${lan2_net}
...
ipfw add deny all from ${lan3_net} to ${lanN_net}
ipfw add allow all from ${lan3_net} to any
Thank you for any advice.