IPFW forward rules equivalent to linux iptables

gwh

New Member


Messages: 2

Hi,

imagine a router with a lot of local networks on separate interfaces (or maybe VLANs) and one WAN interface (connected to internet). Now what I want is to explicity deny traffic between local networks and allow forward only to internet. Something like these iptables rules:
Code:
# set default policy do DROP
iptables -P FORWARD DROP

# allow from LAN1 to Internet
iptables -A FORWARD -i $lan1_if -s $lan1_net -o $wan_if -j ACCEPT
iptables -A FORWARD -i $wan_if -o $lan1_if -d $lan1_net -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow from LAN2 to Internet
iptables -A FORWARD -i $lan2_if -s $lan2_net -o $wan -j ACCEPT
iptables -A FORWARD -i $wan_if -o $lan2_if -d $lan2_net -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow from LAN3 to Internet
iptables -A FORWARD -i $lan3_if -s $lan3_net -o $wan -j ACCEPT
iptables -A FORWARD -i $wan_if -o $lan3_if -d $lan3_net -m state --state ESTABLISHED,RELATED -j ACCEPT
...
I don't know how to achieve this with ipfw. I have try this rules, but it doesn't working:

Code:
sysctl net.inet.ip.fw.default_to_accept=0

ipfw add check-state :FORWARD
ipfw add deny all from any to any established

ipfw add pass all from ${lan1_net} to any in recv ${lan1_if} xmit ${wan_if} keep-state :FORWARD     # not working
ipfw add pass all from ${lan1_net} to any out recv ${lan1_if} xmit ${wan_if} keep-state :FORWARD     # not working
ipfw add pass all from ${lan1_net} to any recv ${lan1_if} xmit ${wan_if} keep-state :FORWARD     # not working
ipfw add pass all from ${lan1_net} to any via ${wan_if} keep-state :FORWARD     # not working
...
I can do this by implicity block forward from one lan to another lan, but in the case of large number of local networks it is very impractical:

Code:
# LAN1
ipfw add deny all from ${lan1_net} to ${lan2_net}
ipfw add deny all from ${lan1_net} to ${lan3_net}
...
ipfw add deny all from ${lan1_net} to ${lanN_net}

ipfw add allow all from ${lan1_net} to any

# LAN2
ipfw add deny all from ${lan2_net} to ${lan1_net}
ipfw add deny all from ${lan2_net} to ${lan3_net}
...
ipfw add deny all from ${lan2_net} to ${lanN_net}

ipfw add allow all from ${lan2_net} to any

# LAN3
ipfw add deny all from ${lan3_net} to ${lan1_net}
ipfw add deny all from ${lan3_net} to ${lan2_net}
...
ipfw add deny all from ${lan3_net} to ${lanN_net}

ipfw add allow all from ${lan3_net} to any
Thank you for any advice.
 

phoenix

Administrator
Staff member
Administrator
Moderator

Reaction score: 1,262
Messages: 4,099

Allow the traffic you want, then have a "deny ip from any to any" at the end to block everything else. Easy peasy, pudding pie.
 

leebrown66

Well-Known Member

Reaction score: 137
Messages: 411

but in the case of large number of local networks it is very impractical:
Use the power of the shell, i.e. (but without the echo's of course).

Code:
#!/bin/sh
for from in 1 2 3 4 5; do
 fromNIC=lan${from}_net
 echo "# LAN${from}"
 for to in 1 2 3 4 5; do
  toNIC=lan${to}_net
  if [ ${from} -ne ${to} ]; then
   echo ipfw add deny all from ${fromNIC} to ${toNIC}
  fi
 done
 echo ipfw add allow all from ${fromNIC} to any
done
 
OP
OP
G

gwh

New Member


Messages: 2

Hi,
thanks for you reply but it is not what I wanted.
Finally I have found solutions:

Code:
$ipfw add check-state :FORWARD

$ipfw add deny tcp from any to any established

# allow all from LAN to all
$ipfw add allow tcp from any to not me in via ${lan_if}
$ipfw add allow udp from any to not me in via ${lan_if}
$ipfw add allow ip from any to not me in via ${lan_if}

$ipfw add allow tcp from any to any out recv ${lan_if} setup keep-state :FORWARD
$ipfw add allow udp from any to any out recv ${lan_if} keep-state :FORWARD
$ipfw add allow ip from any to any out recv ${lan_if} keep-state :FORWARD


# allow all from DMZ to inet only
$ipfw add allow tcp from any to not me in via ${dmz_if}
$ipfw add allow udp from any to not me in via ${dmz_if}
$ipfw add allow ip from any to not me in via ${dmz_if}

$ipfw add allow tcp from any to any out via ${wan_if} recv ${dmz_if} setup keep-state :FORWARD
$ipfw add allow udp from any to any out via ${wan_if} recv ${dmz_if} keep-state :FORWARD
$ipfw add allow ip from any to any out via ${wan_if} recv ${dmz_if} keep-state :FORWARD
 
Top