IPFW forward rules equivalent to linux iptables

Hi,

imagine a router with a lot of local networks on separate interfaces (or maybe VLANs) and one WAN interface (connected to internet). Now what I want is to explicity deny traffic between local networks and allow forward only to internet. Something like these iptables rules:
Code:
# set default policy do DROP
iptables -P FORWARD DROP

# allow from LAN1 to Internet
iptables -A FORWARD -i $lan1_if -s $lan1_net -o $wan_if -j ACCEPT
iptables -A FORWARD -i $wan_if -o $lan1_if -d $lan1_net -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow from LAN2 to Internet
iptables -A FORWARD -i $lan2_if -s $lan2_net -o $wan -j ACCEPT
iptables -A FORWARD -i $wan_if -o $lan2_if -d $lan2_net -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow from LAN3 to Internet
iptables -A FORWARD -i $lan3_if -s $lan3_net -o $wan -j ACCEPT
iptables -A FORWARD -i $wan_if -o $lan3_if -d $lan3_net -m state --state ESTABLISHED,RELATED -j ACCEPT
...

I don't know how to achieve this with ipfw. I have try this rules, but it doesn't working:

Code:
sysctl net.inet.ip.fw.default_to_accept=0

ipfw add check-state :FORWARD
ipfw add deny all from any to any established

ipfw add pass all from ${lan1_net} to any in recv ${lan1_if} xmit ${wan_if} keep-state :FORWARD     # not working
ipfw add pass all from ${lan1_net} to any out recv ${lan1_if} xmit ${wan_if} keep-state :FORWARD     # not working
ipfw add pass all from ${lan1_net} to any recv ${lan1_if} xmit ${wan_if} keep-state :FORWARD     # not working
ipfw add pass all from ${lan1_net} to any via ${wan_if} keep-state :FORWARD     # not working
...

I can do this by implicity block forward from one lan to another lan, but in the case of large number of local networks it is very impractical:

Code:
# LAN1
ipfw add deny all from ${lan1_net} to ${lan2_net}
ipfw add deny all from ${lan1_net} to ${lan3_net}
...
ipfw add deny all from ${lan1_net} to ${lanN_net}

ipfw add allow all from ${lan1_net} to any

# LAN2
ipfw add deny all from ${lan2_net} to ${lan1_net}
ipfw add deny all from ${lan2_net} to ${lan3_net}
...
ipfw add deny all from ${lan2_net} to ${lanN_net}

ipfw add allow all from ${lan2_net} to any

# LAN3
ipfw add deny all from ${lan3_net} to ${lan1_net}
ipfw add deny all from ${lan3_net} to ${lan2_net}
...
ipfw add deny all from ${lan3_net} to ${lanN_net}

ipfw add allow all from ${lan3_net} to any

Thank you for any advice.
 
Allow the traffic you want, then have a "deny ip from any to any" at the end to block everything else. Easy peasy, pudding pie.
 
but in the case of large number of local networks it is very impractical:
Use the power of the shell, i.e. (but without the echo's of course).

Code:
#!/bin/sh
for from in 1 2 3 4 5; do
 fromNIC=lan${from}_net
 echo "# LAN${from}"
 for to in 1 2 3 4 5; do
  toNIC=lan${to}_net
  if [ ${from} -ne ${to} ]; then
   echo ipfw add deny all from ${fromNIC} to ${toNIC}
  fi
 done
 echo ipfw add allow all from ${fromNIC} to any
done
 
Hi,
thanks for you reply but it is not what I wanted.
Finally I have found solutions:

Code:
$ipfw add check-state :FORWARD

$ipfw add deny tcp from any to any established

# allow all from LAN to all
$ipfw add allow tcp from any to not me in via ${lan_if}
$ipfw add allow udp from any to not me in via ${lan_if}
$ipfw add allow ip from any to not me in via ${lan_if}

$ipfw add allow tcp from any to any out recv ${lan_if} setup keep-state :FORWARD
$ipfw add allow udp from any to any out recv ${lan_if} keep-state :FORWARD
$ipfw add allow ip from any to any out recv ${lan_if} keep-state :FORWARD


# allow all from DMZ to inet only
$ipfw add allow tcp from any to not me in via ${dmz_if}
$ipfw add allow udp from any to not me in via ${dmz_if}
$ipfw add allow ip from any to not me in via ${dmz_if}

$ipfw add allow tcp from any to any out via ${wan_if} recv ${dmz_if} setup keep-state :FORWARD
$ipfw add allow udp from any to any out via ${wan_if} recv ${dmz_if} keep-state :FORWARD
$ipfw add allow ip from any to any out via ${wan_if} recv ${dmz_if} keep-state :FORWARD
 
Back
Top