#
# Firewall configuration file
# $Id$
# Generated by: dotfile ipfwadm
#
#---------->General Settings<----------
# General settings
# dialup ISP via PPP, dynamic IP address
# Initialization
# Define some variables to make things a bit clearer below
# Any system anywhere
export ANY="0.0.0.0/0"
# The Internet connection
export INET="-W ppp0"
# The local network port
export LETH="-V 192.168.124.4 -W eth0"
# The local network
export LNET="192.168.124.4/255.255.255.0"
# The firewall (this system on the local network)
export FWALL="192.168.124.4/32"
# The firewall's Internet address (if known or determinable)
export INET_IP="$ANY"
# Some ipfwadm flags for the TCP protocol
export OpenNewConn="-y"
export ConnEstablished="-k"
# Reset to known state
/sbin/ipfwadm -I -f # flush existing input rules
/sbin/ipfwadm -O -f # flush existing output rules
/sbin/ipfwadm -F -f # flush existing forwarding rules
# Set default policy
/sbin/ipfwadm -I -p accept
/sbin/ipfwadm -O -p accept
/sbin/ipfwadm -F -p accept
#---------->ISP Settings<----------
# ISP settings
# Anti-Spoofing
/sbin/ipfwadm -I -a deny $INET -S $LNET
# per RFC1597 (see http://andrew2.andrew.cmu.edu/rfc/rfc1597.html)
# the following network addresses must not be routed to the Internet:
/sbin/ipfwadm -O -a deny $INET -S 10.0.0.0/8
/sbin/ipfwadm -O -a deny $INET -D 10.0.0.0/8
/sbin/ipfwadm -I -a deny $INET -S 10.0.0.0/8
/sbin/ipfwadm -I -a deny $INET -D 10.0.0.0/8
/sbin/ipfwadm -O -a deny $INET -S 172.16.0.0/12
/sbin/ipfwadm -O -a deny $INET -D 172.16.0.0/12
/sbin/ipfwadm -I -a deny $INET -S 172.16.0.0/12
/sbin/ipfwadm -I -a deny $INET -D 172.16.0.0/12
/sbin/ipfwadm -O -a deny $INET -S 192.168.0.0/16
/sbin/ipfwadm -O -a deny $INET -D 192.168.0.0/16
/sbin/ipfwadm -I -a deny $INET -S 192.168.0.0/16
/sbin/ipfwadm -I -a deny $INET -D 192.168.0.0/16
#---------->IP Masquerade Settings<----------
# IP-Masq settings
# Load the masquerade support modules for certain services
#/usr/X11R6/bin/modprobe ip_masq_cuseeme
#/usr/X11R6/bin/modprobe ip_masq_ftp
#/usr/X11R6/bin/modprobe ip_masq_irc
#/usr/X11R6/bin/modprobe ip_masq_raudio
#/usr/X11R6/bin/modprobe ip_masq_vdolive
# Block forwarding certain traffic that shouldn't go out anyway
# reject rather than deny, to aid troubleshooting
/sbin/ipfwadm -F -a reject -S $LNET -D $LNET
/sbin/ipfwadm -F -a reject -S $LNET -D 10.0.0.0/8
/sbin/ipfwadm -F -a reject -S $LNET -D 172.16.0.0/12
/sbin/ipfwadm -F -a reject -S $LNET -D 192.168.0.0/16
# Masquerade 192.168.124.3
# Default masquerade policy is allow - block the listed services for 192.168.124
.3
# Masquerade 192.168.124.2
# Default masquerade policy is allow - block the listed services for 192.168.124
.2
# Global masquerade rules
# Default masquerade policy is allow - block the listed services for all compute
rs
# Global masquerade policy
# Default masquerade policy is allow
/sbin/ipfwadm -F -a masquerade $INET -S $LNET -D $ANY
#---------->Deny/Services (Per-Host, Internet Hosts)<----------
#---------->Deny/Services (Per-Host, Local Hosts)<----------
# Per-Local-Host Service Blocking
# Masquerading is in use. Hosts on the local net will be controlled through
# the masquerade options.
#---------->Allow/Services (Per-Host, Internet Hosts)<----------
#---------->Allow/Services (Per-Host, Local Hosts)<----------
# Per-Local-Host Services Allowed
# Masquerading is in use. Hosts on the local net will be controlled through
# the masquerade options.
#---------->Deny/Services (Global)<----------
#---------->Allow/Services (Global)<----------
# Global Services Allowed
# allow anyone on the local net to request any well-known tcp port from any Inte
rnet host
/sbin/ipfwadm -O -a accept $INET -P tcp -S $INET_IP -D $ANY 1:1024
/sbin/ipfwadm -I -a accept $INET -P tcp $ConnEstablished -D $INET_IP -S $ANY 1:1
024
#---------->Placeholder<----------
# Default Internet Policy
# allow traceroute to send packets to the Internet
/sbin/ipfwadm -O -a accept $INET -P udp -S $INET_IP -D $ANY 33434:33523
#
# End of Firewall Configuration
#/sbin/ipautofw -F # Clears out any old auto-forward entries
#/sbin/ipautofw -A -v -d udp 7648 7649 -c udp 7648
#/sbin/ipautofw -A -v -d udp 7648 7649 -h 192.168.124.3
____________________________________________________
Im not sure what the problem can be now.
Thanks Russell
On 20-May-97 Taner Halicioglu wrote:
>On Tue, 20 May 1997 rkn@intellinet.com wrote:
>
>> eth0 Link encap:Ethernet HWaddr 00:20:78:10:14:BE
>> inet addr:192.168.124.4 Bcast:192.168.124.255 Mask:255.255.255.0
>
>192.168.0.0 -> 192.168.255.0 are reserved nets (not routed by the
>outside world)...
>
>I'm assuming you are running IP Masq. on your linux box or somesuch?
>Otherwise I'm not in the least bit surprised she can't see the outside
>world :-)
>
> -Taner
>--
> D. Taner Halicioglu taner@isi.net
> Programmer/Engineer/Sysadmin Internet Systems, Inc.
> Voice: +1 408 543 0313 Fax: +1 408 541 9878
> PGP Fingerprint: 65 0D 03 A8 26 21 6D B8 23 3A D6 67 23 6E C0 36
>
----------------------------------
E-Mail: rkn@intellinet.com
Date: 20-May-97
Time: 12:54:06
-------------------------------------
RKN can do all of your web and graphics needs
call (501) 221-1207 or E-mail for more information
or vist us at http://www.hubble.com/Design
-------------------------------------