FreeBSD Bugzilla – Attachment 28859 Details for
Bug 48366
Update to Dialup firewalling with FreeBSD...
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 6.49 KB, created by
Sean Chittenden
on 2003-02-17 10:50:14 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
Sean Chittenden
Created:
2003-02-17 10:50:14 UTC
Size:
6.49 KB
patch
obsolete
>Index: article.sgml >=================================================================== >RCS file: /home/ncvs/doc/en_US.ISO8859-1/articles/dialup-firewall/article.sgml,v >retrieving revision 1.26 >diff -u -r1.26 article.sgml >--- article.sgml 2 Feb 2003 01:36:40 -0000 1.26 >+++ article.sgml 17 Feb 2003 07:25:45 -0000 >@@ -64,6 +64,17 @@ > </varlistentry> > > <varlistentry> >+ <term><literal>options IPFW2</literal></term> >+ >+ <listitem> >+ <para>Enables the new version of IPFW.</para> >+ <important><para>Only do this if you're running FreeBSD 4.X, >+ this is the default in newer versions of >+ FreeBSD.</para></important> >+ </listitem> >+ </varlistentry> >+ >+ <varlistentry> > <term><literal>options IPFIREWALL_VERBOSE</literal></term> > > <listitem> >@@ -152,7 +163,7 @@ > ppp_nat="YES" > ppp_profile="<replaceable>profile</replaceable>"</programlisting> > >- <para>If so, you will need to specifically disable >+ <para>If so, you will need to specifically disable > <literal>ppp_nat</literal> by making sure you have > <literal>ppp_nat="NO"</literal> in <filename>/etc/rc.conf</filename>. You will > also need to remove any <literal>nat enable yes</literal> or >@@ -161,15 +172,15 @@ > </sect1> > > <sect1 id="rules"> >- <title>The ruleset for the firewall</title> >+ <title>The rule set for the firewall</title> > > <para>We are nearly done now. All that remains now is to define > the firewall rules and then we can reboot and the firewall > should be up and running. I realize that everyone will want >- something slightly different when it comes to their rulebase. >- What I have tried to do is write a rulebase that suits most dialup >+ something slightly different when it comes to their rule base. >+ What I have tried to do is write a rule base that suits most dialup > users. You can obviously modify it to your needs by using the >- following rules as the foundation for your own rulebase. First, >+ following rules as the foundation for your own rule base. First, > let's start with the basics of closed firewalling. What you > want to do is deny everything by default and then only open up > for the things you really need. Rules should be in the order of >@@ -187,13 +198,7 @@ > <para>Now, let's look at a sample firewall file, that is commented > nicely.</para> > >- <programlisting># Firewall rules >-# Written by Marc Silver (marcs@draenor.org) >-# http://draenor.org/ipfw >-# Freely distributable >- >- >-# Define the firewall command (as in /etc/rc.firewall) for easy >+ <programlisting># Define the firewall command (as in /etc/rc.firewall) for easy > # reference. Helps to make it easier to read. > fwcmd="/sbin/ipfw" > >@@ -203,41 +208,35 @@ > # Divert all packets through the tunnel interface. > $fwcmd add divert natd all from any to any via tun0 > >-# Allow all data from my network card and localhost. Make sure you >-# change your network card (mine was fxp0) before you reboot. :) >-$fwcmd add allow ip from any to any via lo0 >-$fwcmd add allow ip from any to any via fxp0 >- >-# Allow all connections that I initiate. >-$fwcmd add allow tcp from any to any out xmit tun0 setup >+# Allow all connections that have dynamic rules built for them, >+# but deny established connections that don't have a dynamic rule. >+# See ipfw(8) for details. >+$fwcmd add check-state >+$fwcmd add deny tcp from any to any established >+ >+# Allow all localhost connections >+$fwcmd add allow tcp from me to any out via lo0 setup keep-state >+$fwcmd add deny tcp from me to any out via lo0 >+$fwcmd add allow ip from me to any out via lo0 keep-state >+ >+# Allow all connections from my network card that I initiate >+$fwcmd add allow tcp from me to any out xmit any setup keep-state >+$fwcmd add deny tcp from me to any >+$fwcmd add allow ip from me to any out xmit any keep-state > >-# Once connections are made, allow them to stay open. >-$fwcmd add allow tcp from any to any via tun0 established >- >-# Everyone on the internet is allowed to connect to the following >+# Everyone on the Internet is allowed to connect to the following > # services on the machine. This example specifically allows connections >-# to ssh and apache. >-$fwcmd add allow tcp from any to any 80 setup >-$fwcmd add allow tcp from any to any 22 setup >+# to sshd and a webserver. >+$fwcmd add allow tcp from any to me dst-port 22,80 in recv any setup keep-state > > # This sends a RESET to all ident packets. >-$fwcmd add reset log tcp from any to any 113 in recv tun0 >- >-# Allow outgoing DNS queries ONLY to the specified servers. >-$fwcmd add allow udp from any to <replaceable>x.x.x.x</replaceable> 53 out xmit tun0 >- >-# Allow them back in with the answers... :) >-$fwcmd add allow udp from <replaceable>x.x.x.x</replaceable> 53 to any in recv tun0 >- >-# Allow ICMP (for ping and traceroute to work). You may wish to >-# disallow this, but I feel it suits my needs to keep them in. >-$fwcmd add allow icmp from any to any >+$fwcmd add reset log tcp from any to me 113 in recv any > > # Deny all the rest. > $fwcmd add deny log ip from any to any</programlisting> > > <para>You now have a fully functional firewall that will allow on >- connections to ports 80 and 22 and will log any other connection >+ connections to ports 22 and 80 and will log any other connection > attempts. Now, you should be able to safely reboot and your firewall > should come up fine. If you find this incorrect in anyway or experience > any problems, or have any suggestions to improve this page, please >@@ -254,7 +253,7 @@ > you could be using the built in &man.ppp.8; > filters?</para> > </question> >- >+ > <answer> > <para>I will have to be honest and say there is no definitive > reason why I use <command>ipfw</command> and >@@ -323,7 +322,7 @@ > > <answer> > <para>This tutorial assumes that you are running >- <emphasis>userland-ppp</emphasis>, therefore the supplied ruleset >+ <emphasis>userland-ppp</emphasis>, therefore the supplied rule set > operates on the <devicename>tun0</devicename> interface, which > corresponds to the first connection made with &man.ppp.8; (a.k.a. > <emphasis>user-ppp</emphasis>). Additional connections would use >@@ -336,7 +335,7 @@ > <devicename>tun0</devicename> for > <devicename>ppp0</devicename>. A quick way to edit the > firewall rules to reflect this change is shown below. The >- original ruleset is backed up as >+ original rule set is backed up as > <filename>fwrules_tun0</filename>.</para> > > <screen> &prompt.user; <userinput>cd /etc/firewall</userinput>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=28859">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 48366
: 28859