Hello,
this is just a simple solution, not a complete Firewall configuration. You
should realy read more about the basics before you trust your filtering
rules:
> Example 4, does not work
>
> ipfwadm -I -p deny
> ipfwadm -O -p deny
This will stop the System from accepting or sending packets. The incoming
and outgoing rules are checkes before/after the forewarding rules. Incomming
you have to allow packets with the right source address on the internal
interface, and deny packets with the wrong source address on external
interface:
ipfwadm -I -a accept -W eth0 -S 555.666.777.0/24
ipfwadm -I -a deny -W eth1 -S 555.666.777.0/24 -o # spoofed
ipfwadm -I -a accept -W eth1 -S 0/0
outgoing you have to allow only the masqueraded packets:
ipfwadm -O -a accept -W eth0 -S 555.666.777.1 -D 555.666.777.0/24
ipfwadm -O -a deny -W eth1 -S 555.666.777.0/24 # prevent leakage
ipfwadm -O -a deny -W eth1 -D 555.666.777.0/24 # prevent leakage
ipfwadm -O -a accept -W eth1 -S 111.222.333.1 -D 0/0
(notice: the order of the rules is important here)
> ipfwadm -F - deny
> ipfwadm -F -a accept -b -S 555.666.777.0/24 -D 111.222.333.444
> ipfwadm -F -a accept -b -S 555.555.777.0/24 -D 111.222.333.444
> ipfwadm -F -a masquerade -b -S 555.666.777.0/24 -D 111.222.333.444
This dooes not do what you want. If you accept in a forwarding rule the
package will be forwarded without rewriting. This is the right way:
ipfwadm -F - deny
ipfwadm -F -a accept -m -b -S 555.666.777.0/24 -D 111.222.333.444
Greetings
Bernd
BTW: instead of deny policy add an additional rule like:
ipfwadm {-I,-O,-F} -a deny -S0/0 -D0/0 -o
which will deny AND log all the denied packets (at least this is good for
testing).
Greetings
Bernd
--
(OO) -- Bernd_Eckenfels @
Wittumstrasse13 .
76646Bruchsal .
de --
( .. ) ecki @
{inka .
de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes @
irc +4972573817 BE5-RIPE
(O____O) If privacy is outlawed only Outlaws have privacy
References:
|
|
