|
Lines 64-69
Link Here
|
| 64 |
</varlistentry> |
64 |
</varlistentry> |
| 65 |
|
65 |
|
| 66 |
<varlistentry> |
66 |
<varlistentry> |
|
|
67 |
<term><literal>options IPFW2</literal></term> |
| 68 |
|
| 69 |
<listitem> |
| 70 |
<para>Enables the new version of IPFW.</para> |
| 71 |
<important><para>Only do this if you're running FreeBSD 4.X, |
| 72 |
this is the default in newer versions of |
| 73 |
FreeBSD.</para></important> |
| 74 |
</listitem> |
| 75 |
</varlistentry> |
| 76 |
|
| 77 |
<varlistentry> |
| 67 |
<term><literal>options IPFIREWALL_VERBOSE</literal></term> |
78 |
<term><literal>options IPFIREWALL_VERBOSE</literal></term> |
| 68 |
|
79 |
|
| 69 |
<listitem> |
80 |
<listitem> |
|
Lines 152-158
Link Here
|
| 152 |
ppp_nat="YES" |
163 |
ppp_nat="YES" |
| 153 |
ppp_profile="<replaceable>profile</replaceable>"</programlisting> |
164 |
ppp_profile="<replaceable>profile</replaceable>"</programlisting> |
| 154 |
|
165 |
|
| 155 |
<para>If so, you will need to specifically disable |
166 |
<para>If so, you will need to specifically disable |
| 156 |
<literal>ppp_nat</literal> by making sure you have |
167 |
<literal>ppp_nat</literal> by making sure you have |
| 157 |
<literal>ppp_nat="NO"</literal> in <filename>/etc/rc.conf</filename>. You will |
168 |
<literal>ppp_nat="NO"</literal> in <filename>/etc/rc.conf</filename>. You will |
| 158 |
also need to remove any <literal>nat enable yes</literal> or |
169 |
also need to remove any <literal>nat enable yes</literal> or |
|
Lines 161-175
Link Here
|
| 161 |
</sect1> |
172 |
</sect1> |
| 162 |
|
173 |
|
| 163 |
<sect1 id="rules"> |
174 |
<sect1 id="rules"> |
| 164 |
<title>The ruleset for the firewall</title> |
175 |
<title>The rule set for the firewall</title> |
| 165 |
|
176 |
|
| 166 |
<para>We are nearly done now. All that remains now is to define |
177 |
<para>We are nearly done now. All that remains now is to define |
| 167 |
the firewall rules and then we can reboot and the firewall |
178 |
the firewall rules and then we can reboot and the firewall |
| 168 |
should be up and running. I realize that everyone will want |
179 |
should be up and running. I realize that everyone will want |
| 169 |
something slightly different when it comes to their rulebase. |
180 |
something slightly different when it comes to their rule base. |
| 170 |
What I have tried to do is write a rulebase that suits most dialup |
181 |
What I have tried to do is write a rule base that suits most dialup |
| 171 |
users. You can obviously modify it to your needs by using the |
182 |
users. You can obviously modify it to your needs by using the |
| 172 |
following rules as the foundation for your own rulebase. First, |
183 |
following rules as the foundation for your own rule base. First, |
| 173 |
let's start with the basics of closed firewalling. What you |
184 |
let's start with the basics of closed firewalling. What you |
| 174 |
want to do is deny everything by default and then only open up |
185 |
want to do is deny everything by default and then only open up |
| 175 |
for the things you really need. Rules should be in the order of |
186 |
for the things you really need. Rules should be in the order of |
|
Lines 187-199
Link Here
|
| 187 |
<para>Now, let's look at a sample firewall file, that is commented |
198 |
<para>Now, let's look at a sample firewall file, that is commented |
| 188 |
nicely.</para> |
199 |
nicely.</para> |
| 189 |
|
200 |
|
| 190 |
<programlisting># Firewall rules |
201 |
<programlisting># Define the firewall command (as in /etc/rc.firewall) for easy |
| 191 |
# Written by Marc Silver (marcs@draenor.org) |
|
|
| 192 |
# http://draenor.org/ipfw |
| 193 |
# Freely distributable |
| 194 |
|
| 195 |
|
| 196 |
# Define the firewall command (as in /etc/rc.firewall) for easy |
| 197 |
# reference. Helps to make it easier to read. |
202 |
# reference. Helps to make it easier to read. |
| 198 |
fwcmd="/sbin/ipfw" |
203 |
fwcmd="/sbin/ipfw" |
| 199 |
|
204 |
|
|
Lines 203-243
Link Here
|
| 203 |
# Divert all packets through the tunnel interface. |
208 |
# Divert all packets through the tunnel interface. |
| 204 |
$fwcmd add divert natd all from any to any via tun0 |
209 |
$fwcmd add divert natd all from any to any via tun0 |
| 205 |
|
210 |
|
| 206 |
# Allow all data from my network card and localhost. Make sure you |
211 |
# Allow all connections that have dynamic rules built for them, |
| 207 |
# change your network card (mine was fxp0) before you reboot. :) |
212 |
# but deny established connections that don't have a dynamic rule. |
| 208 |
$fwcmd add allow ip from any to any via lo0 |
213 |
# See ipfw(8) for details. |
| 209 |
$fwcmd add allow ip from any to any via fxp0 |
214 |
$fwcmd add check-state |
| 210 |
|
215 |
$fwcmd add deny tcp from any to any established |
| 211 |
# Allow all connections that I initiate. |
216 |
|
| 212 |
$fwcmd add allow tcp from any to any out xmit tun0 setup |
217 |
# Allow all localhost connections |
|
|
218 |
$fwcmd add allow tcp from me to any out via lo0 setup keep-state |
| 219 |
$fwcmd add deny tcp from me to any out via lo0 |
| 220 |
$fwcmd add allow ip from me to any out via lo0 keep-state |
| 221 |
|
| 222 |
# Allow all connections from my network card that I initiate |
| 223 |
$fwcmd add allow tcp from me to any out xmit any setup keep-state |
| 224 |
$fwcmd add deny tcp from me to any |
| 225 |
$fwcmd add allow ip from me to any out xmit any keep-state |
| 213 |
|
226 |
|
| 214 |
# Once connections are made, allow them to stay open. |
227 |
# Everyone on the Internet is allowed to connect to the following |
| 215 |
$fwcmd add allow tcp from any to any via tun0 established |
|
|
| 216 |
|
| 217 |
# Everyone on the internet is allowed to connect to the following |
| 218 |
# services on the machine. This example specifically allows connections |
228 |
# services on the machine. This example specifically allows connections |
| 219 |
# to ssh and apache. |
229 |
# to sshd and a webserver. |
| 220 |
$fwcmd add allow tcp from any to any 80 setup |
230 |
$fwcmd add allow tcp from any to me dst-port 22,80 in recv any setup keep-state |
| 221 |
$fwcmd add allow tcp from any to any 22 setup |
|
|
| 222 |
|
231 |
|
| 223 |
# This sends a RESET to all ident packets. |
232 |
# This sends a RESET to all ident packets. |
| 224 |
$fwcmd add reset log tcp from any to any 113 in recv tun0 |
233 |
$fwcmd add reset log tcp from any to me 113 in recv any |
| 225 |
|
|
|
| 226 |
# Allow outgoing DNS queries ONLY to the specified servers. |
| 227 |
$fwcmd add allow udp from any to <replaceable>x.x.x.x</replaceable> 53 out xmit tun0 |
| 228 |
|
| 229 |
# Allow them back in with the answers... :) |
| 230 |
$fwcmd add allow udp from <replaceable>x.x.x.x</replaceable> 53 to any in recv tun0 |
| 231 |
|
| 232 |
# Allow ICMP (for ping and traceroute to work). You may wish to |
| 233 |
# disallow this, but I feel it suits my needs to keep them in. |
| 234 |
$fwcmd add allow icmp from any to any |
| 235 |
|
234 |
|
| 236 |
# Deny all the rest. |
235 |
# Deny all the rest. |
| 237 |
$fwcmd add deny log ip from any to any</programlisting> |
236 |
$fwcmd add deny log ip from any to any</programlisting> |
| 238 |
|
237 |
|
| 239 |
<para>You now have a fully functional firewall that will allow on |
238 |
<para>You now have a fully functional firewall that will allow on |
| 240 |
connections to ports 80 and 22 and will log any other connection |
239 |
connections to ports 22 and 80 and will log any other connection |
| 241 |
attempts. Now, you should be able to safely reboot and your firewall |
240 |
attempts. Now, you should be able to safely reboot and your firewall |
| 242 |
should come up fine. If you find this incorrect in anyway or experience |
241 |
should come up fine. If you find this incorrect in anyway or experience |
| 243 |
any problems, or have any suggestions to improve this page, please |
242 |
any problems, or have any suggestions to improve this page, please |
|
Lines 254-260
Link Here
|
| 254 |
you could be using the built in &man.ppp.8; |
253 |
you could be using the built in &man.ppp.8; |
| 255 |
filters?</para> |
254 |
filters?</para> |
| 256 |
</question> |
255 |
</question> |
| 257 |
|
256 |
|
| 258 |
<answer> |
257 |
<answer> |
| 259 |
<para>I will have to be honest and say there is no definitive |
258 |
<para>I will have to be honest and say there is no definitive |
| 260 |
reason why I use <command>ipfw</command> and |
259 |
reason why I use <command>ipfw</command> and |
|
Lines 323-329
Link Here
|
| 323 |
|
322 |
|
| 324 |
<answer> |
323 |
<answer> |
| 325 |
<para>This tutorial assumes that you are running |
324 |
<para>This tutorial assumes that you are running |
| 326 |
<emphasis>userland-ppp</emphasis>, therefore the supplied ruleset |
325 |
<emphasis>userland-ppp</emphasis>, therefore the supplied rule set |
| 327 |
operates on the <devicename>tun0</devicename> interface, which |
326 |
operates on the <devicename>tun0</devicename> interface, which |
| 328 |
corresponds to the first connection made with &man.ppp.8; (a.k.a. |
327 |
corresponds to the first connection made with &man.ppp.8; (a.k.a. |
| 329 |
<emphasis>user-ppp</emphasis>). Additional connections would use |
328 |
<emphasis>user-ppp</emphasis>). Additional connections would use |
|
Lines 336-342
Link Here
|
| 336 |
<devicename>tun0</devicename> for |
335 |
<devicename>tun0</devicename> for |
| 337 |
<devicename>ppp0</devicename>. A quick way to edit the |
336 |
<devicename>ppp0</devicename>. A quick way to edit the |
| 338 |
firewall rules to reflect this change is shown below. The |
337 |
firewall rules to reflect this change is shown below. The |
| 339 |
original ruleset is backed up as |
338 |
original rule set is backed up as |
| 340 |
<filename>fwrules_tun0</filename>.</para> |
339 |
<filename>fwrules_tun0</filename>.</para> |
| 341 |
|
340 |
|
| 342 |
<screen> &prompt.user; <userinput>cd /etc/firewall</userinput> |
341 |
<screen> &prompt.user; <userinput>cd /etc/firewall</userinput> |