Re: IPFW

From: Robert Martin-Legène (none@robert+bsd-dk--martin-legene.dk.lh.bsd-dk.dk)
Date: Tue 20 Sep 2005 - 15:12:41 CEST

Next message: Anders Reinhardt Hansen: "Re: Erfaringer med WRAP fra pcengines.ch(Soekris agtigt)"
Previous message: Simon Østengaard: "Re: Anbefalinger til VPN koncentrator"
In reply to: Djonez: "IPFW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Date: Tue, 20 Sep 2005 15:12:41 +0200
From: Robert Martin-Legène <none@robert+bsd-dk--martin-legene.dk.lh.bsd-dk.dk>
To: bsd-dk@bsd-dk.dk
Subject: Re: IPFW

On Tue, Sep 20, 2005 at 01:48:27PM +0200, Djonez wrote:
> Jeg har fået tilføjet en virtual ip, et alias til mit netkort.
> Men jeg kan ikke rigtigt komme igennem til ip’en og bruge den pga IPFW.
> Hvordan sætter man alias op i den?

rc.firewall virker kun til generelt simple løsninger. Hvis du skal lave
mere avancerede ting, så skal du selv sætte dig ind i den mere præcise
virkemåde af ipfw-regelsæt.

Min simplificerede opsætning for en maskine med et par IP-numre er vist
nedenfor. firewall.rules er et shell script som bliver køre "isf
rc.firewall", så chown root og chmod 700

robert@warden$ grep fire /etc/rc.conf
firewall_enable=YES
firewall_script="/etc/firewall.rules"

root@warden$ grep $spændende_ting /etc/firewall.rules
#!/bin/sh

fwcmd=ipfw
admin=192.168.1.0/24
warden=192.168.157.1
cvsup=192.168.157.2

$fwcmd -f flush
$fwcmd add 100 pass all from any to any via lo0
$fwcmd add 200 deny all from any to 127.0.0.0/8
$fwcmd add 300 deny ip from 127.0.0.0/8 to any
$fwcmd add 500 check-state
# dns for me
$fwcmd add 600 permit tcp from me to any 53 out setup keep-state
$fwcmd add 610 permit udp from me to any 53 out keep-state
# 1000-1999 : hoved-server
$fwcmd add 1000 permit tcp from $admin to $warden 22 in keep-state
$fwcmd add 1010 deny tcp from any to $warden 22 in
$fwcmd add 1030 permit tcp from $warden to $admin 25 out setup keep-state
$fwcmd add 1999 deny ip from any to $warden
# 3000-3999 : cvsup jail
$fwcmd add 3000 permit tcp from $admin to $cvsup 22 in keep-state
$fwcmd add 3010 deny tcp from any to $cvsup 22 in
$fwcmd add 3020 permit tcp from any to $cvsup cvsup in setup keep-state
$fwcmd add 3022 permit tcp from $cvsup to any cvsup out setup keep-state
$fwcmd add 3030 permit tcp from $cvsup to $admin 25 out setup keep-state
$fwcmd add 3999 deny ip from any to $cvsup

ovenstående er rettet til i hånden, så måske virker det ikke 100%, men
sammenlign med manualsiden og så burde det give mening.

-- robert

application/pgp-signature attachment: stored

Next message: Anders Reinhardt Hansen: "Re: Erfaringer med WRAP fra pcengines.ch(Soekris agtigt)"
Previous message: Simon Østengaard: "Re: Anbefalinger til VPN koncentrator"
In reply to: Djonez: "IPFW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:52 CET