|
Lines 4492-4498
Link Here
|
| 4492 |
<sect3> |
4492 |
<sect3> |
| 4493 |
<title>Port Redirection</title> |
4493 |
<title>Port Redirection</title> |
| 4494 |
<para>An very common practice is to have a web server, email |
4494 |
<para>An very common practice is to have a web server, email |
| 4495 |
server, database server and DNS sever each segregated to a |
4495 |
server, database server and DNS server each segregated to a |
| 4496 |
different PC on the LAN. In this case the traffic from these |
4496 |
different PC on the LAN. In this case the traffic from these |
| 4497 |
servers still have to be <acronym>NAT</acronym>ed, but there has to be some way |
4497 |
servers still have to be <acronym>NAT</acronym>ed, but there has to be some way |
| 4498 |
to direct the inbound traffic to the correct LAN PC's. IP<acronym>NAT</acronym> |
4498 |
to direct the inbound traffic to the correct LAN PC's. IP<acronym>NAT</acronym> |
|
Lines 4518-4524
Link Here
|
| 4518 |
<sect3> |
4518 |
<sect3> |
| 4519 |
<title>FTP and <acronym>NAT</acronym></title> |
4519 |
<title>FTP and <acronym>NAT</acronym></title> |
| 4520 |
<para>FTP is a dinosaur left over from the time before the |
4520 |
<para>FTP is a dinosaur left over from the time before the |
| 4521 |
Internet as it is know today, when research universities were |
4521 |
Internet as it is known today, when research universities were |
| 4522 |
leased lined together and FTP was used to share files among |
4522 |
leased lined together and FTP was used to share files among |
| 4523 |
research Scientists. This was a time when data security was |
4523 |
research Scientists. This was a time when data security was |
| 4524 |
not even an idea yet. Over the years the FTP protocol became |
4524 |
not even an idea yet. Over the years the FTP protocol became |
|
Lines 4720-4726
Link Here
|
| 4720 |
|
4720 |
|
| 4721 |
<sect3> |
4721 |
<sect3> |
| 4722 |
<title><filename>/etc/rc.conf</filename> Options</title> |
4722 |
<title><filename>/etc/rc.conf</filename> Options</title> |
| 4723 |
<para>If you don't have IPFW compliled into your kernel you will |
4723 |
<para>If you don't have IPFW compiled into your kernel you will |
| 4724 |
need to load it with the following statement in your |
4724 |
need to load it with the following statement in your |
| 4725 |
<filename>/etc/rc.conf</filename>:</para> |
4725 |
<filename>/etc/rc.conf</filename>:</para> |
| 4726 |
|
4726 |
|
|
Lines 5045-5051
Link Here
|
| 5045 |
administrator decides what rules in the rule set he wants to |
5045 |
administrator decides what rules in the rule set he wants to |
| 5046 |
log and adds the log verb to those rules. Normally only deny |
5046 |
log and adds the log verb to those rules. Normally only deny |
| 5047 |
rules are logged. Like the deny rule for incoming <acronym>ICMP</acronym> |
5047 |
rules are logged. Like the deny rule for incoming <acronym>ICMP</acronym> |
| 5048 |
pings. It's very customary to duplicate the ipfw default |
5048 |
pings. It is very customary to duplicate the ipfw default |
| 5049 |
deny everything rule with the log verb included as your |
5049 |
deny everything rule with the log verb included as your |
| 5050 |
last rule in the rule set. This way you get to see all the |
5050 |
last rule in the rule set. This way you get to see all the |
| 5051 |
packets that did not match any of the rules in the rule set.</para> |
5051 |
packets that did not match any of the rules in the rule set.</para> |
|
Lines 5221-5228
Link Here
|
| 5221 |
<title>An Example Inclusive Ruleset</title> |
5221 |
<title>An Example Inclusive Ruleset</title> |
| 5222 |
<para>The following non-<acronym>NAT</acronym>ed rule set is a complete inclusive |
5222 |
<para>The following non-<acronym>NAT</acronym>ed rule set is a complete inclusive |
| 5223 |
type ruleset. You can not go wrong using this rule set for |
5223 |
type ruleset. You can not go wrong using this rule set for |
| 5224 |
you own. Just comment out any pass rules for services to |
5224 |
you own. Just comment out any pass rules for services you |
| 5225 |
don't want. If you see messages in your log that you want to |
5225 |
do not want. If you see messages in your log that you want to |
| 5226 |
stop seeing just add a deny rule in the inbound section. You |
5226 |
stop seeing just add a deny rule in the inbound section. You |
| 5227 |
have to change the 'dc0' interface name in every rule to the |
5227 |
have to change the 'dc0' interface name in every rule to the |
| 5228 |
interface name of the NIC that connects your system to the |
5228 |
interface name of the NIC that connects your system to the |
|
Lines 5442-5448
Link Here
|
| 5442 |
top of the rule file and progress one rule at a time deeper |
5442 |
top of the rule file and progress one rule at a time deeper |
| 5443 |
into the file until the end is reach or the packet being |
5443 |
into the file until the end is reach or the packet being |
| 5444 |
tested to the selection criteria matches and the packet is |
5444 |
tested to the selection criteria matches and the packet is |
| 5445 |
released out of the firewall. It's important to take notice |
5445 |
released out of the firewall. It is important to take notice |
| 5446 |
of the location of rule numbers 100 101, 450, 500, and 510. |
5446 |
of the location of rule numbers 100 101, 450, 500, and 510. |
| 5447 |
These rules control the translation of the outbound and |
5447 |
These rules control the translation of the outbound and |
| 5448 |
inbound packets so their entries in the keep-state dynamic |
5448 |
inbound packets so their entries in the keep-state dynamic |
|
Lines 5459-5471
Link Here
|
| 5459 |
it is headed out not in. It passes rule 101 because this is |
5459 |
it is headed out not in. It passes rule 101 because this is |
| 5460 |
the first packet so it has not been posted to the keep-state |
5460 |
the first packet so it has not been posted to the keep-state |
| 5461 |
dynamic table yet. The packet finally comes to rule 125 a |
5461 |
dynamic table yet. The packet finally comes to rule 125 a |
| 5462 |
matches. It's outbound through the NIC facing the public |
5462 |
matches. It is outbound through the NIC facing the public |
| 5463 |
Internet. The packet still has it's source IP address as a |
5463 |
Internet. The packet still has it's source IP address as a |
| 5464 |
private Lan IP address. On the match to this rule, two |
5464 |
private Lan IP address. On the match to this rule, two |
| 5465 |
action take place. The keep-state option will post this rule |
5465 |
actions take place. The keep-state option will post this rule |
| 5466 |
into the keep-state dynamic rules table and the specified |
5466 |
into the keep-state dynamic rules table and the specified |
| 5467 |
action is executed. The action is part of the info posted to |
5467 |
action is executed. The action is part of the info posted to |
| 5468 |
the dynamic table. In this case it's "skipto rule 500". Rule |
5468 |
the dynamic table. In this case it is "skipto rule 500". Rule |
| 5469 |
500 <acronym>NAT</acronym>s the packet IP address and out it goes. Remember |
5469 |
500 <acronym>NAT</acronym>s the packet IP address and out it goes. Remember |
| 5470 |
this, this is very important. This packet makes it's way to |
5470 |
this, this is very important. This packet makes it's way to |
| 5471 |
the destination and returns and enters the top of the rule |
5471 |
the destination and returns and enters the top of the rule |
|
Lines 5477-5483
Link Here
|
| 5477 |
packet is sent requesting another segment of the data from |
5477 |
packet is sent requesting another segment of the data from |
| 5478 |
the remote server. This time it gets checked by the |
5478 |
the remote server. This time it gets checked by the |
| 5479 |
check-state rule and it's outbound entry is found, the |
5479 |
check-state rule and it's outbound entry is found, the |
| 5480 |
associated action, 'skipto 500', is executed. the packet |
5480 |
associated action, 'skipto 500', is executed. The packet |
| 5481 |
jumps to rule 500 gets <acronym>NAT</acronym>ed and released on it's way out. |
5481 |
jumps to rule 500 gets <acronym>NAT</acronym>ed and released on it's way out. |
| 5482 |
</para> |
5482 |
</para> |
| 5483 |
|
5483 |
|
|
Lines 5552-5558
Link Here
|
| 5552 |
|
5552 |
|
| 5553 |
######################## end of rules ################## |
5553 |
######################## end of rules ################## |
| 5554 |
</programlisting> |
5554 |
</programlisting> |
| 5555 |
<para>The following is pretty much the same as above but, uses |
5555 |
<para>The following is pretty much the same as above, but uses |
| 5556 |
a self documenting coding style full of description comments |
5556 |
a self documenting coding style full of description comments |
| 5557 |
to help the inexperienced IPFW rule writer to better |
5557 |
to help the inexperienced IPFW rule writer to better |
| 5558 |
understand what the rules are doing.</para> |
5558 |
understand what the rules are doing.</para> |