IPFW simple nat with raspberry

L

lewis

Hello, I'm trying to build a very simple firewall with a raspberry pi. I'd like to have some comments.
My network si like the following:
LAPTOP linux ====ue0 ethernet===> RASPBERRY fbsd ====ue1 usb===> IPHONE ios
The following is my /etc/rc.conf
Code: 
sshd_enable="NO"                       
usbmuxd_enable="YES"                   
sendmail_enable="NONE"                 
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
growfs_enable="YES"
netif_enable="YES"                     
ifconfig_ue1="SYNCDHCP"                
ifconfig_ue0="inet 192.168.1.1 netmask 255.255.255.0"          
dhcpd_enable="YES"                     
dhcpd_flags="ue0"                      
ntpdate_enable="YES"                   
mixer_enable="NO"                      
ntpd_enable="YES"                      
firewall_enable="YES"                  
gateway_enable="YES"                   
firewall_nat_enable="YES"              
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
firewall_logif="YES"

and the following is my /etc/ipfw.rules
Code: 
ipfw -q -f flush
cmd="ipfw -q add "
vif="ue1"
lan="ue0"
skip="skipto 1000"
pub_dns="8.8.8.8"
ipfw disable one_pass
ipfw -q nat 1 config if $vif same_ports unreg_only reset
$cmd 00010 allow ip from any to any via lo0
$cmd 00011 allow ip from any to any via $lan
$cmd 00099 reass all from any to any in       # reassamble inbound packets
$cmd 00100 nat 1 ip from any to any in via $vif # NAT any inbound packets
$cmd 00101 check-state
$cmd 00110 $skip tcp from any to $pub_dns dst-port 53 out via $vif setup keep-state
$cmd 00111 $skip udp from any to $pub_dns dst-port 53 out via $vif keep-state
$cmd 00120 $skip udp from me 68 to any dst-port 67 out via $vif keep-state
$cmd 00200 $skip tcp from any to any dst-port 80 out via $vif setup keep-state
$cmd 00220 $skip tcp from any to any dst-port 443 out via $vif setup keep-state
$cmd 00250 $skip icmp from any to any out via $vif keep-state
$cmd 00270 $skip udp from any to any dst-port 123 out via $vif keep-state
$cmd 00299 deny log ip from any to any out via $vif
$cmd 00300 deny ip from 192.168.0.0/16 to any in via $vif
$cmd 00301 deny all from 172.16.0.0/12 to any in via $vif      #RFC 1918 private IP
$cmd 00302 deny ip from 10.0.0.0/8 to any in via $vif
$cmd 00303 deny ip from 127.0.0.0/8 to any in via $vif
$cmd 00304 deny ip from 0.0.0.0/8 to any in via $vif
$cmd 00305 deny ip from 169.254.0.0/16 to any in via $vif
$cmd 00306 deny ip from 192.0.2.0/24 to any in via $vif
$cmd 00307 deny ip from 204.152.64.0/23 to any in via $vif
$cmd 00308 deny ip from 224.0.0.0/3 to any in via $vif
$cmd 00315 deny tcp from any to any dst-port 113 in via $vif
$cmd 00320 deny tcp from any to any dst-port 137 in via $vif
$cmd 00321 deny tcp from any to any dst-port 138 in via $vif
$cmd 00322 deny tcp from any to any dst-port 139 in via $vif
$cmd 00323 deny tcp from any to any dst-port 81 in via $vif
$cmd 00330 deny ip from any to any frag in via $vif
$cmd 00332 deny tcp from any to any established in via $vif
$cmd 00310 allow icmp from any to any in via $vif
$cmd 00370 allow udp from any 67 to me dst-port 68 in via $vif keep-state
$cmd 999 deny log ip from any to any in via $vif
$cmd 1000 nat 1 ip from any to any out via $vif # skipto location for outbound stateful rules
$cmd 1001 allow ip from any to any

and this is my ifconfig
Code: 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
        ether xx:xx:eb:25:ef:4a
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
        groups: ipfw
ue1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether xx:x2:x1:3x:ax:xx
        inet 172.20.10.2 netmask 0xfffffff0 broadcast 172.20.10.15
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
 
yes it works, but I'm victim of many attacks and I'd like to have some comments if I can tune something.
 
lewis said:
but I'm victim of many attacks
Click to expand...
What kind of attacks? Note that an internet connection works like a funnel, you can plug the hole at the bottom (firewall) but that's not going to stop the water from overflowing it. Also note that any open connection on the internet will get attacked. There are literally thousands of bots active on the internet doing nothing but scanning for low hanging fruit.
 
You must log in or register to reply here.
Back
Top