diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml index ff8bded1e3..661346b124 100644 --- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml @@ -2039,7 +2039,7 @@ pif="dc0" # interface name of NIC attached to Internet The next rule allows the packet through if it matches an existing entry in the dynamic rules table: - $cmd 00015 check-state + $cmd 00101 check-state The next set of rules defines which stateful connections internal systems can create to hosts on the Internet: @@ -2157,52 +2157,45 @@ pif="dc0" # interface name of NIC attached to Internet IPFW to provide network address translation. This can be used to provide an Internet Connection Sharing solution so that several internal computers - can connect to the Internet using IP + can connect to the Internet using a single IP address. To do this, the &os; machine connected to the Internet - must act as a gateway. This gateway machine must have two - NICs: one connects to the Internet router - and the other connects to a LAN. All the - machines on the LAN are connected through - a hub or switch. - - Each machine and interface behind the - LAN should be assigned - IP addresses in the private network space, + must act as a gateway. This system must have two + NICs, where one is connected to the Internet + and the other is connected to the internal LAN. All the + machines connected to the LAN should be assigned + an IP addresses in the private network space, as defined by RFC - 1918, and have a default gateway of the - &man.natd.8; machine's internal IP + 1918, and have their default gateway set to the + &man.natd.8; system's internal IP address. Some additional configuration is needed in order to activate the NAT function of IPFW. If the system has a custom kernel, the kernel configuration file needs to include - option IPDIVERT with the other + option IPDIVERT along with the other IPFIREWALL options. - To enable firewall and NAT support at + To enable NAT support at boot time, the following must be in /etc/rc.conf: - gateway_enable="YES" # enables the gateway function -natd_enable="YES" # enables the NAT function -natd_interface="rl0" # specify interface name of NIC attached to Internet -natd_flags="-dynamic -m" # -m = preserve port numbers if possible + gateway_enable="YES" # enables the gateway +natd_enable="YES" # enables NAT +natd_interface="rl0" # specify interface name of NIC attached to Internet +natd_flags="-dynamic -m" # -m = preserve port numbers; additional options are listed in &man.natd.8; - It is also possible to use a configuration file for - &man.natd.8; when there are too many options to pass. In - this case, the configuration file must be defined by adding - the following line to - /etc/rc.conf: + It is also possible to specify a configuration file which + contains the options to pass to &man.natd.8;: natd_flags="-f /etc/natd.conf" - A list of configuration options, one per line, can be - added to /etc/natd.conf. For + The specified file must contain a list of configuration + options, one per line. For example: redirect_port tcp 192.168.0.2:6667 6667 @@ -2212,18 +2205,50 @@ redirect_port tcp 192.168.0.3:80 80 consult &man.natd.8;. - Utilizing stateful rules with a divert - natd rule complicates the ruleset logic. The - positioning of the check-state, and - divert natd rules in the ruleset is - critical and a new action type is used, called - skipto. When using - skipto, it is mandatory that each rule is - numbered, so that the skipto rule knows + Next, add the NAT rules to the firewall + ruleset. When the rulest contains stateful rules, the + positioning of the NAT rules is + critical and the skipto action is used. + The + skipto action requires a rule number + so that it knows which rule to jump to. - The following is an uncommented example of a ruleset - which explains the sequence of the packet flow. + The following example builds upon the firewall ruleset + shown in the previous section. It adds some additional + entries and modifies some existing rules in order to configure + the firewall for NAT. It starts by + adding some additional variables which represent the rule + number to skip to, the keep-state option, + and a list of TCP ports which will be + used to reduce the number of rules: + + #!/bin/sh +cmd="ipfw -q add" +skip="skipto 500" +pif=rl0 +ks="keep-state" +good_tcpo="22,25,37,43,53,80,443,110,119" + +ipfw -q -f flush + + The NAT rule is inserted + after the two rules which allow all + traffic on the trusted internal interface and on the loopback + interface and before the + check-state rule. It is important that the + rule number selected for the NAT rule, in + this example 100, is higher than the first + two rules and lower than the check-state + rule: + + $cmd 005 allow all from any to any via xl0 # exclude LAN traffic +$cmd 010 allow all from any to any via lo0 # exclude loopback traffic + +# NAT any inbound packets +$cmd 100 divert natd ip from any to any in via $pif +# Allow the packet through if it has an existing entry in the dynamic rules table +$cmd 101 check-state The processing flow starts with the first rule from the top of the ruleset and progresses one rule at a time until @@ -2290,24 +2315,7 @@ redirect_port tcp 192.168.0.3:80 80 NATing and released to the outbound interface. - Example Ruleset #1: - - #!/bin/sh -cmd="ipfw -q add" -skip="skipto 500" -pif=rl0 -ks="keep-state" -good_tcpo="22,25,37,43,53,80,443,110,119" - -ipfw -q -f flush - -$cmd 002 allow all from any to any via xl0 # exclude LAN traffic -$cmd 003 allow all from any to any via lo0 # exclude loopback traffic - -$cmd 100 divert natd ip from any to any in via $pif -$cmd 101 check-state - -# Authorized outbound packets +# Authorized outbound packets $cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks $cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks @@ -2335,168 +2343,7 @@ ipfw -q -f flush # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif -$cmd 510 allow ip from any to any - -######################## end of rules ################## - - The next example is functionally equivalent, but uses - descriptive comments to help the inexperienced IPFW rule - writer to better understand what the rules are doing. - - Example Ruleset #2: - - #!/bin/sh -################ Start of IPFW rules file ############################### -# Flush out the list before we begin. -ipfw -q -f flush - -# Set rules command prefix -cmd="ipfw -q add" -skip="skipto 800" -pif="rl0" # public interface name of NIC - # facing the public Internet - -################################################################# -# No restrictions on Inside LAN Interface for private network -# Change xl0 to your LAN NIC interface name -################################################################# -$cmd 005 allow all from any to any via xl0 - -################################################################# -# No restrictions on Loopback Interface -################################################################# -$cmd 010 allow all from any to any via lo0 - -################################################################# -# check if packet is inbound and nat address if it is -################################################################# -$cmd 014 divert natd ip from any to any in via $pif - -################################################################# -# Allow the packet through if it has previous been added to the -# the "dynamic" rules table by a allow keep-state statement. -################################################################# -$cmd 015 check-state - -################################################################# -# Interface facing Public Internet (Outbound Section) -# Check session start requests originating from behind the -# firewall on the private network or from this gateway server -# destined for the public Internet. -################################################################# - -# Allow out access to my ISP's Domain name server. -# x.x.x.x must be the IP address of your ISP's DNS -# Dup these lines if your ISP has more than one DNS server -# Get the IP addresses from /etc/resolv.conf file -$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state - - -# Allow out access to my ISP's DHCP server for cable/DSL configurations. -$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state - -# Allow out non-secure standard www function -$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state - -# Allow out secure www function https over TLS SSL -$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state - -# Allow out send & get email function -$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state -$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state - -# Allow out FreeBSD (make install & CVSUP) functions -# Basically give user root "GOD" privileges. -$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root - -# Allow out ping -$cmd 080 $skip icmp from any to any out via $pif keep-state - -# Allow out Time -$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state - -# Allow out nntp news (i.e., news groups) -$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state - -# Allow out secure FTP, Telnet, and SCP -# This function is using SSH (secure shell) -$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state - -# Allow out whois -$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state - -# Allow ntp time server -$cmd 130 $skip udp from any to any 123 out via $pif keep-state - -################################################################# -# Interface facing Public Internet (Inbound Section) -# Check packets originating from the public Internet -# destined for this gateway server or the private network. -################################################################# - -# Deny all inbound traffic from non-routable reserved address spaces -$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP -$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP -$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP -$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback -$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback -$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config -$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs -$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster -$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast - -# Deny ident -$cmd 315 deny tcp from any to any 113 in via $pif - -# Deny all Netbios service. 137=name, 138=datagram, 139=session -# Netbios is MS/Windows sharing services. -# Block MS/Windows hosts2 name server requests 81 -$cmd 320 deny tcp from any to any 137 in via $pif -$cmd 321 deny tcp from any to any 138 in via $pif -$cmd 322 deny tcp from any to any 139 in via $pif -$cmd 323 deny tcp from any to any 81 in via $pif - -# Deny any late arriving packets -$cmd 330 deny all from any to any frag in via $pif - -# Deny ACK packets that did not match the dynamic rule table -$cmd 332 deny tcp from any to any established in via $pif - -# Allow traffic in from ISP's DHCP server. This rule must contain -# the IP address of your ISP's DHCP server as it is the only -# authorized source to send this packet type. -# Only necessary for cable or DSL configurations. -# This rule is not needed for 'user ppp' type connection to -# the public Internet. This is the same IP address you captured -# and used in the outbound section. -$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state - -# Allow in standard www function because I have Apache server -$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 - -# Allow in secure FTP, Telnet, and SCP from public Internet -$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 - -# Allow in non-secure Telnet session from public Internet -# labeled non-secure because ID & PW are passed over public -# Internet as clear text. -# Delete this sample group if you do not have telnet server enabled. -$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 - -# Reject & Log all unauthorized incoming connections from the public Internet -$cmd 400 deny log all from any to any in via $pif - -# Reject & Log all unauthorized out going connections to the public Internet -$cmd 450 deny log all from any to any out via $pif - -# This is skipto location for outbound stateful rules -$cmd 800 divert natd ip from any to any out via $pif -$cmd 801 allow ip from any to any - -# Everything else is denied by default -# deny and log all packets that fell through to see what they are -$cmd 999 deny log all from any to any -################ End of IPFW rules file ############################### +$cmd 510 allow ip from any to any Port Redirection