Re: Help with ipfwadm rules :(

Glynn Clements (glynn@sensei.co.uk)
Sun, 14 Mar 1999 17:56:28 +0000 (GMT)


Eduardo Röhr wrote:

> # Variables
> export ANY="0.0.0.0/0"
> export INET="-W ppp0"
> export LETH="-W eth0"
> export LNET="172.16.0.0/16"
> export FWALL="172.16.3.3/32"
> export INET_IP="$4"
> export OpenNewConn="-y"
> export ConnEstablished="-k"
>
> /sbin/ipfwadm -I -f # flush existing input rules
> /sbin/ipfwadm -O -f # flush existing output rules
> /sbin/ipfwadm -F -f # flush existing forwarding rules
>
> # Set default policy to DENY
> #/sbin/ipfwadm -I -p deny
> #/sbin/ipfwadm -O -p deny
> #/sbin/ipfwadm -F -p deny

NOTE: Don't `deny' ident (auth) packets. Either `accept' or `reject'
them, otherwise outbound connections are likely to hang until the
corresponding ident connection times out (typically 189 seconds on
Linux).

Also, configuring output (-O) rules is usually a waste of time, unless
you really need to control who the router itself can talk to.

> # Internal traffic is OK
> /sbin/ipfwadm -F -a accept $LETH -S $LNET -D $LNET
> /sbin/ipfwadm -I -a accept $LETH -S $LNET -D $LNET
> /sbin/ipfwadm -O -a accept $LETH -S $LNET -D $LNET

This looks odd. Note that -W/-V apply to the inbound interface for -I
but to the outbound interface for -F and -O.

> # DNS queries
> /sbin/ipfwadm -I -a accept $INET -P tcp -D $INET_IP -S $ANY domain
> /sbin/ipfwadm -I -a accept $INET -P udp -D $INET_IP -S $ANY domain

Note that BIND 8.* doesn't use port 53 for queries by default; it uses
an ephemeral port, unless explicitly set using the `query-source'
option.

Try logging all denied/rejected packets, and adding a catch-all deny
rule to the end of the list. This may provide some clues as to what
else you need to accept.

-- 
Glynn Clements <glynn@sensei.co.uk>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu