Protecting the gateway using IPFW/NAT

M

mikej83

I am running 7.2-p3 as my router/gateway for my home network. I followed the instructions in the handbook for setting up IPFW/NATD, and everything is working great.

One thing I would like to change though is the the gateway server appears to be publicly accessable. I am geting a lot of error messages about failed ssh login attempts from addresses outside my network. How can I block any traffic from getting to the server directly (instead of being passed through to my private network)?

I am using the standard OPEN rules:
Code: 
00050 divert 8668 ip4 from any to any via re0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any
 
From the handbook:
To select one of the default firewall types provided by FreeBSD, select one by reading the /etc/rc.firewall file
Click to expand...
 
mikej83 said:
I am using the standard OPEN rules:
Click to expand...
Code: 
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open        - will allow anyone in
#   client      - will try to protect just this machine
#   simple      - will try to protect a whole network
#   closed      - totally disables IP services except via lo0 interface
#   workstation - will try to protect just this machine using statefull
#                 firewalling. See below for rc.conf variables used
#   UNKNOWN     - disables the loading of firewall rules.
#   filename    - will load the rules in the given filename (full path required)

Did you read this from rc.firewall (or SirDice's reply)? Try one of those instead.
 
aragon said:
Code: 
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open        - will allow anyone in
#   client      - will try to protect just this machine
#   simple      - will try to protect a whole network
#   closed      - totally disables IP services except via lo0 interface
#   workstation - will try to protect just this machine using statefull
#                 firewalling. See below for rc.conf variables used
#   UNKNOWN     - disables the loading of firewall rules.
#   filename    - will load the rules in the given filename (full path required)

Did you read this from rc.firewall (or SirDice's reply)? Try one of those instead.
Click to expand...

Try one of what, exactly? As I've already stated, I'm using the open ruleset (the first one in your list). Client and Simple also contain a divert rule, but they both have the same problem I originally stated. I fell back to using Open because it is the simplest of the bunch to start from, and I thought it would be good to customize from there. Also the example in the handbook uses the open ruleset.

SirDice said:
Or,even better, create your own rules.
Click to expand...
Yes, that is what I am trying to do but I don't know how to craft a rule to do this. I thought someone here might have been able to help me with creating the rule, not copy/pasting information in that is not helpful.
 
ipfw(8)

Code: 
     addr: [not] {any | [B]me[/B] | me6 | table(number[,value]) | addr-list |
             addr-set}

     any     matches any IP address.

     [B]me[/B]      matches any IP address configured on an interface in the system.

Code: 
The absence of a particular option may be denoted with a `!'.

Now think along those lines and try something like '! me' instead of 'any'.
 
You must log in or register to reply here.
Back
Top