Πέμπτη, Σεπτεμβρίου 27, 2007

2) Dialup firewalling with FreeBSD ( IPFW)

Marc Silver
marcs@draenor.org

Login: root
password: password

Recompile kernel with these options:

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options TCP_DROP_SYNFIN

# ee /etc/rc.conf

firewall_enable="YES"
firewall_script="/etc/firewall/fwrules"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-dynamic"

ppp_enable="YES"
ppp_mode="auto"
ppp_nat="YES"
ppp_profile="your_profile"

Save and Quit [ esc a a ]

# mkdir -p /etc/firewall
# cd /etc/firewall
# ee fwrules

Write the following

# Firewall rules
# Written by Marc Silver (marcs@draenor.org)
# http://draenor.org/ipfw
# Freely distributable

# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Divert all packets through the tunnel interface.
$fwcmd add divert natd all from any to any via tun0

# Allow all data from my network card and localhost. Make sure you
# change your network card (mine was fxp0) before you reboot. :)
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via fxp0

# Allow all connections that I initiate.
$fwcmd add allow tcp from any to any out xmit tun0 setup

# Once connections are made, allow them to stay open.
$fwcmd add allow tcp from any to any via tun0 established

# Everyone on the internet is allowed to connect to the following
# services on the machine. This example specifically allows connections
# to ssh and apache.
$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow tcp from any to any 22 setup

# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to any 113 in recv tun0

# Allow outgoing DNS queries ONLY to the specified servers.
$fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0

# Allow them back in with the answers... :)
$fwcmd add allow udp from x.x.x.x 53 to any in recv tun0

# Allow ICMP (for ping and traceroute to work). You may wish to
# disallow this, but I feel it suits my needs to keep them in.
$fwcmd add allow icmp from any to any

# Deny all the rest.
$fwcmd add deny log ip from any to any


Save and Quit [ esc a a ]

# reboot






Αναρτήθηκε από στις

Δεν υπάρχουν σχόλια:

Δημοσίευση σχολίου

Εγγραφή σε: Σχόλια ανάρτησης (Atom)