IPFW & M$ VPN

Frankus frankus at rulez.cz
Wed Aug 13 15:40:51 CEST 2003


Zdravim Vas!
Potrebuji se nyni pripojit do prace pres MS VPNku, nicmene nedari se mi 
navazat spojeni. Odjinud to jde, takze chyba je evidentne na me strane.
MS VPN pouziva specialni protokol GRE, ktery neodpovida standardum TCP 
ani UDP. Otazka zni, jak navazu spojeni na klientovi, ktery je za 
FreeBSD routerem s ipfw, jehoz skript je uveden nize.
Dekuji vsem za reakce

fwcmd="/sbin/ipfw"
#fwcmd=echo

build_cmd()
{
cmd="$1"
shift
for v in "$@"
    do
    cmd="$cmd '$v'"
done
}

fwcmd_e ()
{
build_cmd $fwcmd "$@"

for e in $all_externals
    do
    eval `echo "$cmd"|sed -e "s/DEV/$e/g"`
done
}

fwcmd_i ()
{
build_cmd $fwcmd "$@"

for i in $all_internals
    do
    eval `echo "$cmd"|sed -e "s/DEV/$i/g"`
done
}

# Interface connected to your internal network
all_internals="xl0 lo0"
# Interface connected to the cable modem
all_externals="de0 tun0"

# nat demons for each external interface
natd_de0=natd
natd_tun0=8669

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Let me talk to the BY modem's web status page
fwcmd_e add allow all from any to 192.168.100.1 via DEV

# Don't let non routable IP packets leak out
for nonroute in 10.0.0.0/8 172.31.0.0/16 192.168.0.0/16
    do
    fwcmd_e add deny log all from any to $nonroute via DEV
done

# Divert all packets through the natted interfaces
for e in $all_externals $all_internals
    do
    eval "port=\$natd_$e"
    [ -z "$port" ] || $fwcmd add divert $port all from any to any via "$e"
done

# Allow all data from my network card and localhost. 
fwcmd_i add allow all from any to any via DEV

#Line to allow BY Cable modem to respond to traceroute
fwcmd_e add allow icmp from 10.124.192.1 to any via DEV
#BY modem web status page
fwcmd_e add allow all from 192.168.100.1 to any via DEV

# Don't let non routable IPs get in (probably spoofed)
for nonroute in 10.0.0.0/8 172.31.0.0/16 192.168.0.0/16
    do
    fwcmd_e add deny log all from $nonroute to any via DEV
done

# Allow all connections that I initiate.
fwcmd_e add allow tcp from any to any out xmit DEV setup

# Once connections are made, allow them to stay open.
fwcmd_e add allow tcp from any to any via DEV established

# Everyone on the internet is allowed to connect to the following
# services on the machine. Remove # from those you want
$fwcmd add allow tcp from any to any http setup
#$fwcmd add allow tcp from any to any ftp setup
$fwcmd add allow tcp from any to any ssh setup
#$fwcmd add allow tcp from any to any smtp setup

# This sends a RESET to all ident packets.
fwcmd_e add reset log tcp from any to any ident in recv DEV

# Allow outgoing DNS queries
fwcmd_e add allow udp from any to any domain out xmit DEV keep-state

# Allow them back in with the answers...  :)
fwcmd_e add allow udp from any domain to any in recv DEV

# time synchronisation
fwcmd_e add allow udp from any to any ntp out xmit DEV keep-state

# dhcp
$fwcmd add pass udp from any to any bootpc keep-state

fwcmd_e add allow udp from any to any bootps out xmit DEV
fwcmd_e add allow udp from any bootps to any in recv DEV

# traceroute
$fwcmd add allow log udp from any to any 33434-33499 out

# Igmp from CM, No one seems to know if this is necessary, so I
# let it in.
fwcmd_e add allow igmp from 192.168.100.1 to any in via DEV

# Allow ICMP (for ping and traceroute to work).  You may wish to
# disallow this, but I feel it suits my needs to keep them in.
$fwcmd add allow icmp from any to any

# Deny and log setups from outside, just deny the rest of the attempt
fwcmd_e add deny log tcp from any to any in via DEV setup
$fwcmd add deny tcp from any to any

# Deny and log non tcp from outside
fwcmd_e add deny log ip from any to any in via DEV

# Deny all the rest.
$fwcmd add 65435 deny log ip from any to any

-- 
**************************
/// fr at nku$ \\\
mailto: frankus at rulez.cz
http://frankus.rulez.cz
**************************





More information about the Users-l mailing list