Hello, guys. Can you help me, why my rule is not working with keep-state
Short version:
When i use Is not working:
If i add this one, it is fine:
FreeBSD gate 12.0-RELEASE-p3 FreeBSD 12.0-RELEASE-p3 ROUTER amd64
Kernel options:
sysctl.conf:
Scrypt:
ipfw show:
Can you help to solve my problem and improve the scrypt please
Short version:
When i use Is not working:
Code:
${FwCMD} add allow ip from 192.168.1.0/24 to any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 out via ${LanOut} setup keep-state
Code:
${FwCMD} add allow ip from any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 to 192.168.1.0/24 in via ${LanOut}
FreeBSD gate 12.0-RELEASE-p3 FreeBSD 12.0-RELEASE-p3 ROUTER amd64
Kernel options:
Code:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=1000
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options DUMMYNET
options HZ="1000"
options LIBALIAS
options IPFIREWALL_NAT
options MROUTING
options ROUTETABLES=2
sysctl.conf:
Code:
sysctl net.inet.ip.forwarding=1
net.inet.ip.fw.one_pass=0
net.inet.ip.fastforwarding=1
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=1000
net.inet.ip.fw.dyn_max=1000
net.inet.ip.fw.dyn_ack_lifetime=300
net.inet.ip.fw.dyn_syn_lifetime=20
net.inet.ip.fw.dyn_fin_lifetime=1
net.inet.ip.fw.dyn_rst_lifetime=1
net.inet.ip.fw.dyn_udp_lifetime=10
net.inet.ip.fw.dyn_short_lifetime=5
net.inet.ip.dummynet.io_fast=1
net.inet.ip.dummynet.pipe_byte_limit=1048576
Scrypt:
Code:
${FwCMD} -f flush
${FwCMD} add check-state
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
###SNORT###
${FwCMD} add 00010 deny ip from "table(2)" to any via ${LanOut}
${FwCMD} add 00011 deny ip from any to "table(1)" via ${LanOut}
###icmp-network-check###
${FwCMD} add allow icmp from ${IpOut} to 8.8.8.8
${FwCMD} add allow icmp from ${IpOut2} to 8.8.4.4
###deny-icmp-DDOS###
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny icmp from any to 255.255.255.255 out via ${LanOut}
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut2}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut2}
#${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut2}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut2}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut2}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut2}
${FwCMD} add deny icmp from any to 255.255.255.255 in via ${LanOut2}
${FwCMD} add deny icmp from any to 255.255.255.255 out via ${LanOut2}
${FwCMD} add reject ip from any to ${IpOut} 22,80,135,139,443,445,898,989,3127,3128,3129,3130,3131,3306,10000,10050,10051 via ${LanOut}
###Interfaces###
#${FwCMD} add allow ip from any to any via ${LanIn20}
###SQUID###
#${FwCMD} add skipto 3000 all from 192.168.7.0/24 to any #exceptions squid
${FwCMD} add allow tcp from me to any out via ${LanOut} keep-state uid squid
${FwCMD} add allow tcp from me to any out via ${LanOut2} keep-state uid squid
${FwCMD} add fwd 127.0.0.1,3129 tcp from 192.168.1.0/24 to any 80,8080 out via ${LanOut}
${FwCMD} add fwd 127.0.0.1,3129 tcp from 192.168.1.0/24 to any 80,8080 out via ${LanOut2}
${FwCMD} add fwd 127.0.0.1,3127 tcp from 192.168.1.0/24 to any 443 out via ${LanOut}
${FwCMD} add fwd 127.0.0.1,3127 tcp from 192.168.1.0/24 to any 443 out via ${LanOut2}
###IPFW-NAT###
${FwCMD} nat 1 config if ${LanOut} same_ports reset log
${FwCMD} nat 2 config if ${LanOut2} same_ports reset log
${FwCMD} add nat 1 ip4 from any to any via ${LanOut}
${FwCMD} add nat 2 ip4 from any to any via ${LanOut2}
${FwCMD} add allow ip from any to any via ${LanIn20}
${FwCMD} add allow ip from ${IpOut} to any via ${LanOut}
${FwCMD} add allow ip from ${IpOut2} to any via ${LanOut2}
###Speed###
${FwCMD} pipe 1 config bw 99Mbit/s
${FwCMD} pipe 11 config bw 99Mbit/s
${FwCMD} queue 1 config pipe 1 mask dst-ip 0xffffffff
${FwCMD} queue 2 config pipe 11 mask src-ip 0xffffffff
${FwCMD} add queue 1 ip from any to 192.168.1.0/24 via ${LanOut}
${FwCMD} add queue 2 ip from 192.168.1.0/24 to any via ${LanOut}
###SecondSpeed###
${FwCMD} pipe 2 config bw 9Mbit/s
${FwCMD} pipe 22 config bw 9Mbit/s
${FwCMD} queue 3 config pipe 2 mask dst-ip 0xffffffff
${FwCMD} queue 4 config pipe 22 mask src-ip 0xffffffff
${FwCMD} add queue 3 ip from any to 192.168.1.0/24 via ${LanOut2}
${FwCMD} add queue 4 ip from 192.168.1.0/24 to any via ${LanOut2}
###Na vnutrinniy interface##
#${FwCMD} add allow ip from 192.168.1.0/24 to 192.168.1.0/24 via ${LanIn20}
###LOCALNET###
${FwCMD} add allow ip from 192.168.1.0/24 to any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 out via ${LanOut} setup keep-state
${FwCMD} add allow ip from any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 to 192.168.1.0/24 in via ${LanOut}
###OpenVPN###
${FwCMD} add allow ip from any to any via tun0
${FwCMD} add allow ip from any to me 1194
###All_other_rules#######
###SKYPE###
${FwCMD} add allow udp from any to any 3478-3481, 50000-60000 via ${LanOut} keep-state
###SIP, Messenger and other###
${FwCMD} add allow tcp from any to ${IpOut} 50000-50100 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut2} 50000-50100 via ${LanOut2}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
###PUBLIC###
#${FwCMD} add allow ip from any to ${IpOut}
#${FwCMD} add allow ip from ${IpOut} to any via ${LanOut}
#${FwCMD} add allow ip from ${IpOut2} to any out via ${LanOut2} setup keep-state
#${FwCMD} add allow ip from any to any
ipfw show:
Code:
04400 0 0 allow ip from 192.168.1.0/24 to any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 out via em0 setup keep-state :default
04500 24868326 25945864699 allow ip from any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 to 192.168.1.0/24 in via em0
Can you help to solve my problem and improve the scrypt please