IPFW & M$ VPN

Frankus frankus at rulez.cz
Wed Aug 13 17:21:42 CEST 2003


Frankus wrote:

> Zdravim Vas!
> Potrebuji se nyni pripojit do prace pres MS VPNku, nicmene nedari se 
> mi navazat spojeni. Odjinud to jde, takze chyba je evidentne na me 
> strane.
> MS VPN pouziva specialni protokol GRE, ktery neodpovida standardum TCP 
> ani UDP. Otazka zni, jak navazu spojeni na klientovi, ktery je za 
> FreeBSD routerem s ipfw, jehoz skript je uveden nize.
> Dekuji vsem za reakce
>
> fwcmd="/sbin/ipfw"
> #fwcmd=echo
>
> build_cmd()
> {
> cmd="$1"
> shift
> for v in "$@"
>    do
>    cmd="$cmd '$v'"
> done
> }
>
> fwcmd_e ()
> {
> build_cmd $fwcmd "$@"
>
> for e in $all_externals
>    do
>    eval `echo "$cmd"|sed -e "s/DEV/$e/g"`
> done
> }
>
> fwcmd_i ()
> {
> build_cmd $fwcmd "$@"
>
> for i in $all_internals
>    do
>    eval `echo "$cmd"|sed -e "s/DEV/$i/g"`
> done
> }
>
> # Interface connected to your internal network
> all_internals="xl0 lo0"
> # Interface connected to the cable modem
> all_externals="de0 tun0"
>
> # nat demons for each external interface
> natd_de0=natd
> natd_tun0=8669
>
> # Force a flushing of the current rules before we reload.
> $fwcmd -f flush
>
> # Let me talk to the BY modem's web status page
> fwcmd_e add allow all from any to 192.168.100.1 via DEV
>
> # Don't let non routable IP packets leak out
> for nonroute in 10.0.0.0/8 172.31.0.0/16 192.168.0.0/16
>    do
>    fwcmd_e add deny log all from any to $nonroute via DEV
> done
>
> # Divert all packets through the natted interfaces
> for e in $all_externals $all_internals
>    do
>    eval "port=\$natd_$e"
>    [ -z "$port" ] || $fwcmd add divert $port all from any to any via "$e"
> done
>
> # Allow all data from my network card and localhost. fwcmd_i add allow 
> all from any to any via DEV
>
> #Line to allow BY Cable modem to respond to traceroute
> fwcmd_e add allow icmp from 10.124.192.1 to any via DEV
> #BY modem web status page
> fwcmd_e add allow all from 192.168.100.1 to any via DEV
>
> # Don't let non routable IPs get in (probably spoofed)
> for nonroute in 10.0.0.0/8 172.31.0.0/16 192.168.0.0/16
>    do
>    fwcmd_e add deny log all from $nonroute to any via DEV
> done
>
> # Allow all connections that I initiate.
> fwcmd_e add allow tcp from any to any out xmit DEV setup
>
> # Once connections are made, allow them to stay open.
> fwcmd_e add allow tcp from any to any via DEV established
>
> # Everyone on the internet is allowed to connect to the following
> # services on the machine. Remove # from those you want
> $fwcmd add allow tcp from any to any http setup
> #$fwcmd add allow tcp from any to any ftp setup
> $fwcmd add allow tcp from any to any ssh setup
> #$fwcmd add allow tcp from any to any smtp setup
>
> # This sends a RESET to all ident packets.
> fwcmd_e add reset log tcp from any to any ident in recv DEV
>
> # Allow outgoing DNS queries
> fwcmd_e add allow udp from any to any domain out xmit DEV keep-state
>
> # Allow them back in with the answers...  :)
> fwcmd_e add allow udp from any domain to any in recv DEV
>
> # time synchronisation
> fwcmd_e add allow udp from any to any ntp out xmit DEV keep-state
>
> # dhcp
> $fwcmd add pass udp from any to any bootpc keep-state
>
> fwcmd_e add allow udp from any to any bootps out xmit DEV
> fwcmd_e add allow udp from any bootps to any in recv DEV
>
> # traceroute
> $fwcmd add allow log udp from any to any 33434-33499 out
>
> # Igmp from CM, No one seems to know if this is necessary, so I
> # let it in.
> fwcmd_e add allow igmp from 192.168.100.1 to any in via DEV
>
> # Allow ICMP (for ping and traceroute to work).  You may wish to
> # disallow this, but I feel it suits my needs to keep them in.
> $fwcmd add allow icmp from any to any
>
> # Deny and log setups from outside, just deny the rest of the attempt
> fwcmd_e add deny log tcp from any to any in via DEV setup
> $fwcmd add deny tcp from any to any
>
> # Deny and log non tcp from outside
> fwcmd_e add deny log ip from any to any in via DEV
>
> # Deny all the rest.
> $fwcmd add 65435 deny log ip from any to any
>
ipfw show

00100      0         0 allow ip from any to 192.168.100.1 via de0
00200      0         0 allow ip from any to 192.168.100.1 via tun0
00300      0         0 deny log ip from any to 10.0.0.0/8 via de0
00400      0         0 deny log ip from any to 10.0.0.0/8 via tun0
00500      0         0 deny log ip from any to 172.31.0.0/16 via de0
00600      0         0 deny log ip from any to 172.31.0.0/16 via tun0
00700    297     14256 deny log ip from any to 192.168.0.0/16 via de0
00800      0         0 deny log ip from any to 192.168.0.0/16 via tun0
00900 369863 190805286 divert 8668 ip from any to any via de0
01000      0         0 divert 8669 ip from any to any via tun0
01100 362300 187416982 allow ip from any to any via xl0
01200      0         0 allow ip from any to any via lo0
01300      0         0 allow icmp from 10.124.192.1 to any via de0
01400      0         0 allow icmp from 10.124.192.1 to any via tun0
01500    934     26152 allow ip from 192.168.100.1 to any via de0
01600      0         0 allow ip from 192.168.100.1 to any via tun0
01700   2302    756374 deny log ip from 10.0.0.0/8 to any via de0
01800      0         0 deny log ip from 10.0.0.0/8 to any via tun0
01900      0         0 deny log ip from 172.31.0.0/16 to any via de0
02000      0         0 deny log ip from 172.31.0.0/16 to any via tun0
02100      0         0 deny log ip from 192.168.0.0/16 to any via de0
02200      0         0 deny log ip from 192.168.0.0/16 to any via tun0
02300  12416    595968 allow tcp from any to any out xmit de0 setup
02400      0         0 allow tcp from any to any out xmit tun0 setup
02500 351164 189081075 allow tcp from any to any via de0 established
02600      0         0 allow tcp from any to any via tun0 established
02700    119      5940 allow tcp from any to any dst-port 80 setup
02800      0         0 allow tcp from any to any dst-port 22 setup
02900      0         0 reset log tcp from any to any dst-port 113 in 
recv de0
03000      0         0 reset log tcp from any to any dst-port 113 in 
recv tun0
03100    630     40125 allow udp from any to any dst-port 53 out xmit 
de0 keep-state
03200      0         0 allow udp from any to any dst-port 53 out xmit 
tun0 keep-state
03300    594    122644 allow udp from any 53 to any in recv de0
03400      0         0 allow udp from any 53 to any in recv tun0
03500      0         0 allow udp from any to any dst-port 123 out xmit 
de0 keep-state
03600      0         0 allow udp from any to any dst-port 123 out xmit 
tun0 keep-state
03700      8      2624 allow udp from any to any dst-port 68 keep-state
03800      8      2624 allow udp from any to any dst-port 67 out xmit de0
03900      0         0 allow udp from any to any dst-port 67 out xmit tun0
04000      0         0 allow udp from any 67 to any in recv de0
04100      0         0 allow udp from any 67 to any in recv tun0
04200      0         0 allow log udp from any to any dst-port 
33434-33499 out
04300      0         0 allow igmp from 192.168.100.1 to any in via de0
04400      0         0 allow igmp from 192.168.100.1 to any in via tun0
04500    116     25536 allow icmp from any to any
04600   1228     59292 deny log tcp from any to any in via de0 setup
04700      0         0 deny log tcp from any to any in via tun0 setup
04800      0         0 deny tcp from any to any
04900    242     24188 deny log ip from any to any in via de0
05000      0         0 deny log ip from any to any in via tun0
65435    102     62744 deny log ip from any to any
65535      2       376 deny ip from any to any


-- 
**************************
/// fr at nku$ \\\
mailto: frankus at rulez.cz
http://frankus.rulez.cz
**************************





More information about the Users-l mailing list