IPFW Review of ipfw rules

pyret

Member

Reaction score: 36
Messages: 47

Code:
#!/bin/sh

IPFW="/sbin/ipfw"

# anti spoofing rule
"$IPFW" add 10 set 1 drop    log all  from me  to any  in  recv eth0 keep-state  || exit 1
"$IPFW" add 20 set 1 drop    log all  from 192.168.1.0/24  to any  in  recv eth0 keep-state  || exit 1
"$IPFW" add 30 set 1 drop    log all  from 192.168.2.0/24  to any  in  recv eth0 keep-state  || exit 1

# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd ip from any to me in via eth0
add 01001 check-state
#
"$IPFW" add 40 set 1 permit all  from any  to any      via  lo keep-state  || exit 1
#
# SSH Access to firewall is permitted
# only from internal network

"$IPFW" add 50 set 1 permit tcp  from 192.168.1.0/24  to me 22 in  setup keep-state  || exit 1
#
# Firewall uses one of the machines
# on internal network for DNS

"$IPFW" add 60 set 1 permit tcp  from me  to 192.168.1.10 53 out setup keep-state  || exit 1
"$IPFW" add 70 set 1 permit udp  from me  to 192.168.1.10 53 out keep-state  || exit 1
#
# All other attempts to connect to
# the firewall are denied and logged

"$IPFW" add 80 set 1 drop    log all  from any  to me  in  keep-state  || exit 1
#
# Quickly reject attempts to connect
# to ident server to avoid SMTP delays
"$IPFW" add 90 set 1 reset  tcp  from any  to any 113      || exit 1
#
# Mail relay on DMZ can accept
# connections from hosts on the
# Internet
"$IPFW" add 100 set 1 permit tcp  from any  to 192.168.2.10 25     setup keep-state  || exit 1
#
#
# this rule permits a mail relay
# located on DMZ to connect
# to internal mail server
"$IPFW" add 110 set 1 permit tcp  from 192.168.2.10  to 192.168.1.10 25     setup keep-state  || exit 1
#
# Mail relay needs DNS and can
# connect to mail servers on the
# Internet
"$IPFW" add 120 set 1 skipto 160 tcp  from 192.168.2.10  to 192.168.1.0/24 53,25      || exit 1
"$IPFW" add 130 set 1 skipto 160 udp  from 192.168.2.10  to 192.168.1.0/24 53      || exit 1
"$IPFW" add 140 set 1 permit tcp  from 192.168.2.10  to any 53,25     setup keep-state  || exit 1
"$IPFW" add 150 set 1 permit udp  from 192.168.2.10  to any 53     keep-state  || exit 1
#
# All other access from DMZ to
# internal  net is denied
"$IPFW" add 160 set 1 drop    log all  from 192.168.2.0/24  to 192.168.1.0/24       || exit 1
#
# This permits access from internal net
# to the Internet and DMZ
"$IPFW" add 170 set 1 permit all  from 192.168.1.0/24  to any      keep-state  || exit 1
#
"$IPFW" add 180 set 1 drop    log all  from any  to any       || exit 1
#
# Rule  fallback rule
#    fallback rule
"$IPFW" add 190 set 1 drop   all  from any  to any       || exit 1
I would appreciate if someone could/would review these ipfw rules. I presently run ipf on FreeBSD but would like to move the firewall from a physical machine to a VIMAGE jail, and only ipfw runs inside a jail.

I don't believe ipf has been virtualized to run inside of a jail yet. If so, then I don't need to move to ipfw. If someone knows if ipf now runs inside of a jail, I'd appreciate knowing.

What about NAT rules?
 
Top