IPFW HOWTO: Statefulness, NAT, and dynamic reloading

[PMc]

Folks, I finally managet to sketch a little draft about some of my doings with ipfw:

Advanced ipfw configurations

(tell me if you find errors)

 

[VladiBG]

Here's another way.

The mandatory for this to work is to use "deny in" option which will drop any traffic for which there's no record in libalias. Otherwise it will allow all traffic in.

It look like this:

ipfw nat 1 config if em0 log deny_in same_ports reset

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 1
01000 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800 allow udp from any 67 to me 68 in
01900 allow udp from any 67 to 255.255.255.255 68 in
02000 allow udp from fe80::/10 to me 546 in
02100 allow icmp from any to me icmptypes 8
02200 allow ip6 from any to me proto ipv6-icmp ip6 icmp6types 128,129
02300 allow icmp from any to me icmptypes 3,4,11
02400 allow ip6 from any to me proto ipv6-icmp ip6 icmp6types 3
02510 allow tcp from any to me 22
05000 allow ip from any to any via lo1
55000 nat 1 ip from any to any via em0
65535 deny ip from any to any