hansaplast
Programmer
Hi,
Ok.. solved my last thread thread93-622690
But now I found something strange in the "RFC1918 nets on the outside interface" rules..
View the red line below..
When I coment out the red line all works well.. But why can't I block RFC1918 nets on the outside interface. I specificaly noted the "via $EXT_NIC".
What am I doing wrong??
# Variables
EXT_NIC="xl0"
INT_NIC="rl0"
EXT_IP=`ifconfig $EXT_NIC|grep -w inet|sed 's/.*inet //'|sed 's/ n.*//'`
INT_NET=`ifconfig $INT_NIC|grep -w inet|sed 's/.*inet //'|sed 's/\./X/3'|sed 's/X.*/.0/'`
INT_NET="$INT_NET/24"
NATD_INTERFACE=$EXT_NIC
DENY="ipfw add deny"
ALLOW="ipfw add allow"
# Fluss the rules
ipfw -f flush
# Enable natd
# ipfw add 50 divert natd all from any to any via $NATD_INTERFACE
# Setup loopback
$ALLOW all from any to any via lo0
$DENY all from any to 127.0.0.0/8
$DENY ip from 127.0.0.0/8 to any
# Stop spoofing
# Explanation:
# $DENY all from $INT_NET to any in via $EXT_NIC
# Deny ALL traffic FROM the internal network TO ANY IN(comming)
# packages going through (VIA) the external interface.
#
$DENY all from $INT_NET to any in via $EXT_NIC
$DENY all from $EXT_IP to any in via $INT_NIC
# Stop RFC1918 nets on the outside interface
$DENY all from any to 10.0.0.0/8 via $EXT_NIC
$DENY all from any to 172.16.0.0/12 via $EXT_NIC
$DENY all from any to 192.168.0.0/16 via $EXT_NIC
# If I coment out the red line above everything works fine
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
$DENY all from any to 0.0.0.0/8 via $EXT_NIC
$DENY all from any to 169.254.0.0/16 via $EXT_NIC
$DENY all from any to 192.0.2.0/24 via $EXT_NIC
$DENY all from any to 224.0.0.0/4 via $EXT_NIC
$DENY all from any to 240.0.0.0/4 via $EXT_NIC
# Network Address Translation. All packets are passed to natd(8)
#
ipfw add 50 divert natd all from any to any via $NATD_INTERFACE
# Stop RFC1918 nets on the outside interface
$DENY all from 10.0.0.0/8 to any via $EXT_NIC
$DENY all from 172.16.0.0/12 to any via $EXT_NIC
$DENY all from 192.168.0.0/16 to any via $EXT_NIC
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
$DENY all from 0.0.0.0/8 to any via $EXT_NIC
$DENY all from 169.254.0.0/16 to any via $EXT_NIC
$DENY all from 192.0.2.0/24 to any via $EXT_NIC
$DENY all from 224.0.0.0/4 to any via $EXT_NIC
$DENY all from 240.0.0.0/4 to any via $EXT_NIC
#
# The rules!!
#
# Allow all internal traffic
$ALLOW all from $INT_NET to any setup
# Allow all outgoing traffic
$ALLOW all from $INT_NET to any
$ALLOW all from $EXT_IP to any
# Allow established connections and IP fragments to pass through
$ALLOW tcp from any to any established
$ALLOW all from any to any frag
# Allow DNS replies
$ALLOW udp from any 53 to $EXT_IP
# Drop and log all other inbound traffic
ipfw add 65000 deny log all from any to any
Ok.. solved my last thread thread93-622690
But now I found something strange in the "RFC1918 nets on the outside interface" rules..
View the red line below..
When I coment out the red line all works well.. But why can't I block RFC1918 nets on the outside interface. I specificaly noted the "via $EXT_NIC".
What am I doing wrong??
# Variables
EXT_NIC="xl0"
INT_NIC="rl0"
EXT_IP=`ifconfig $EXT_NIC|grep -w inet|sed 's/.*inet //'|sed 's/ n.*//'`
INT_NET=`ifconfig $INT_NIC|grep -w inet|sed 's/.*inet //'|sed 's/\./X/3'|sed 's/X.*/.0/'`
INT_NET="$INT_NET/24"
NATD_INTERFACE=$EXT_NIC
DENY="ipfw add deny"
ALLOW="ipfw add allow"
# Fluss the rules
ipfw -f flush
# Enable natd
# ipfw add 50 divert natd all from any to any via $NATD_INTERFACE
# Setup loopback
$ALLOW all from any to any via lo0
$DENY all from any to 127.0.0.0/8
$DENY ip from 127.0.0.0/8 to any
# Stop spoofing
# Explanation:
# $DENY all from $INT_NET to any in via $EXT_NIC
# Deny ALL traffic FROM the internal network TO ANY IN(comming)
# packages going through (VIA) the external interface.
#
$DENY all from $INT_NET to any in via $EXT_NIC
$DENY all from $EXT_IP to any in via $INT_NIC
# Stop RFC1918 nets on the outside interface
$DENY all from any to 10.0.0.0/8 via $EXT_NIC
$DENY all from any to 172.16.0.0/12 via $EXT_NIC
$DENY all from any to 192.168.0.0/16 via $EXT_NIC
# If I coment out the red line above everything works fine
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
$DENY all from any to 0.0.0.0/8 via $EXT_NIC
$DENY all from any to 169.254.0.0/16 via $EXT_NIC
$DENY all from any to 192.0.2.0/24 via $EXT_NIC
$DENY all from any to 224.0.0.0/4 via $EXT_NIC
$DENY all from any to 240.0.0.0/4 via $EXT_NIC
# Network Address Translation. All packets are passed to natd(8)
#
ipfw add 50 divert natd all from any to any via $NATD_INTERFACE
# Stop RFC1918 nets on the outside interface
$DENY all from 10.0.0.0/8 to any via $EXT_NIC
$DENY all from 172.16.0.0/12 to any via $EXT_NIC
$DENY all from 192.168.0.0/16 to any via $EXT_NIC
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
$DENY all from 0.0.0.0/8 to any via $EXT_NIC
$DENY all from 169.254.0.0/16 to any via $EXT_NIC
$DENY all from 192.0.2.0/24 to any via $EXT_NIC
$DENY all from 224.0.0.0/4 to any via $EXT_NIC
$DENY all from 240.0.0.0/4 to any via $EXT_NIC
#
# The rules!!
#
# Allow all internal traffic
$ALLOW all from $INT_NET to any setup
# Allow all outgoing traffic
$ALLOW all from $INT_NET to any
$ALLOW all from $EXT_IP to any
# Allow established connections and IP fragments to pass through
$ALLOW tcp from any to any established
$ALLOW all from any to any frag
# Allow DNS replies
$ALLOW udp from any 53 to $EXT_IP
# Drop and log all other inbound traffic
ipfw add 65000 deny log all from any to any
