IPFW IPFW + DMZ (EDGE)

D

devset

Hello!
Help me please!
Help implement a DMZ network using the IPFW firewall. I do not understand how it will be written in ipfw.rules. You need to remove MS EDGE Exchange in the DMZ zone.
Tell me in terms of port security?
Thanks.
 
Code: 
#!/bin/sh

# reset 
ipfw -q -f flush

# macro 
ext="em0"
int="em1"
dmz="em2"
cmd="ipfw -q add "
skip="skipto 2000 "
ssha=""

# kernel nat config
ipfw -q nat 1 config if em0 same_ports unreg_only \
redirect_port tcp XX.XX.XX.XX:443 443 \
redirect_port tcp XX.XX.XX.XX:25 25

# allow root ssh
$cmd 01 allow tcp from $ssha to me 74999 in via $ext setup limit src-addr 2

# drop ipv6
$cmd 050 deny ip6 from any to any
$cmd 060 deny udp from any to any dst-port 546,547

# enable loopback and local traffic
$cmd 080 allow ip4 from any to any via lo0,$int

# unnat incoming traffic
$cmd 090 nat 100 ip4 from any to any in via $ext

# mail
$cmd 091 allow tcp from any to XX.XX.XX.XX 443
$cmd 092 allow tcp from any to XX.XX.XX.XX 25

# check dynamic rules table
$cmd 0100 check-state

# nat
$cmd 0200 $skip tcp from any to any out via $ext setup keep-state
$cmd 0210 $skip icmp from any to any out via $ext keep-state
$cmd 0220 $skip udp from any to any out via $ext keep-state

# mail
$cmd 0223 $skip tcp from XX.XX.XX.XX 443 to any
$cmd 0224 $skip tcp from XX.XX.XX.XX 25 to any

# deny
$cmd 0500 deny log all from any to any in via $ext
$cmd 0510 deny log all from any to any out via $ext

# nat out point
$cmd 2000 nat 100 ip from any to any out via $ext
$cmd 3000 allow ip from any to any

# deny all other
$cmd 4000 deny log all from any to any
 
Core config FreeBBSD 10.4
Code: 
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options LIBALIAS
options DUMMYNET
options ROUTETABLES=4
 
SirDice said:
FreeBSD 10.4 has been End-of-Life since October 2018 and is not supported any more.

Topics about unsupported FreeBSD versions
www.freebsd.org

Unsupported FreeBSD Releases

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.
www.freebsd.org www.freebsd.org
Click to expand...

SirDice sory my freebsd system building on 12.1

Core config FreeBSD 12.1
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPDIVERT


rules ipfw
Code: 
#!/bin/sh

# reset 
ipfw -q -f flush

# macro
ext="em0"
int="em1"
dmz= "em2"
cmd="ipfw -q add "
skip="skipto 2000 "
ssha="X.X.X.X"

# kernel nat config
ipfw -q nat 1 config if em1 same_ports unreg_only

# allow root ssh
$cmd 01 allow tcp from $ssha to me 87111 in via $ext setup limit src-addr 1

# drop ipv6
$cmd 05 deny ip6 from any to any
$cmd 06 deny udp from any to any dst-port 546,547

# enable loopback and local traffic
$cmd 010 allow ip4 from any to any via lo0,$int

# unnat incoming traffic
$cmd 030 nat 1 ip4 from any to any in via $ext

# check dynamic rules table
$cmd 050 check-state

# nat
$cmd 0200 $skip tcp from any to any out via $ext setup keep-state
$cmd 0210 $skip icmp from any to any out via $ext keep-state
$cmd 0220 $skip udp from any to any out via $ext keep-state

# deny
$cmd 0500 deny log all from any to any in via $ext
$cmd 0510 deny log all from any to any out via $ext

# nat out point
$cmd 2000 nat 1 ip from any to any out via $ext
$cmd 3000 allow ip from any to any

# deny all other
$cmd 4000 deny log all from any to any

rc conf
Code: 
# IPFW
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.rules"
 
Last edited by a moderator:
Hello forum team!
Please help me.
Write worked example config dmz zone.
3 way interfaces
em0 internet
em1 dmz
em2 lan
Core config:
(nat ipfw not natd)
# ipfw
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=50
options LIBALIAS
options DUMMYNET

FreeBSD 12.1
Thanks!
 
You must log in or register to reply here.
Back
Top