Hi David,
Well, that might be a half a step closer... I just tried this
combination with a 50% success rate :). Inbound connections work quite
well, but connections originating from the box itself do not work.
Any ideas as to how to make this rulebase work with policy routing for
outbound connections as well?
I think it is interfering with the dynamic rules. ICMP appears to
work, but that is all. I would like to still use the dynamic
capabilites of stateful filtering if possible.
Here's the sample rulebase script:
[ ... ]
fwcmd="/sbin/ipfw -q"
IP1="10.0.0.2"
IP1-GW="10.0.0.1"
IP2="10.1.0.2"
IP2-GW="10.0.0.1"
IP1-NET="10.0.0.0/24"
IP2-NET="10.1.0.0/24"
# Reset all rules in case script run multiple times
${fwcmd} -f flush
# Allow all via loopback to loopback
${fwcmd} add 50 allow all from any to any via lo0
# POLICY ROUTING
${fwcmd} add 095 allow ip from ${IP1} to ${IP1-NET}
${fwcmd} add 100 fwd ${IP1-GW} ip from ${IP1} to any
${fwcmd} add 110 allow ip from ${IP2} to ${IP2-NET}
${fwcmd} add 115 fwd ${IP2-FW} ip from ${IP2} to any
# POLICIES
${fwcmd} add 200 check-state
# Allow from me to anywhere
${fwcmd} add 240 allow tcp from me to any setup keep-state
${fwcmd} add 260 allow udp from me to any keep-state
${fwcmd} add 280 allow icmp from me to any
# Allow INCOMING DNS
${fwcmd} add 310 allow log udp from any to me 53 in keep-state
# Allow INCOMING SSH from mynetwork
${fwcmd} add 320 allow log tcp from ${IP1-NET} to me 22 in setup
keep-state
# Disable icmp other than the "safe" subset
${fwcmd} add 370 allow icmp from any to any icmptype 0,3,8,11
# Block all other traffic and log in
${fwcmd} add 65534 deny log logamount 0 all from any to any
[ ... ]
-- steve
-----Original Message-----
From: David G. Andersen [mailto:danderse@cs.utah.edu]
Sent: Thursday, April 15, 2004 4:23 PM
To: Stephen Gill
Cc: freebsd-security@freebsd.org
Subject: Re: Policy routing with IPFW
Stephen Gill just mooed:> following:
>
> - All traffic sourced from Interface 1 (dc0) should go out gateway 1
> - All traffic sourced from Interface 2 (dc1) should go out gateway 2
> - All traffic destined to Interface 1 (dc0) should return out gateway
1> - All traffic destined to Interface 2 (dc1) should return out gateway
2>
> Gateway 1 is on dc0 and Gateway 2 is on dc1. I think you get the
> picture.
>
> Is this type of thing possible with IPFW? If not, is there any other
> module that would allow me to do this? I don't care how ugly it
gets,> just so long as it works.
sure.
options IPFIREWALL
options IPFIREWALL_FORWARD
As an example from a running system:
00100 allow ip from any to any via lo0
00500 allow ip from IP1 to IP1/IP1-netmask
00501 fwd IP1-GW ip from IP1 to any
00600 allow ip from IP2 to IP2/IP2-netmask
00601 fwd IP2-GW ip from IP2 to any
(where IP1-GW and IP2-GW are the next-hop routers for each
interface, obviously).
Works like a charm - I've got it running on quite a few machines.
The only downside to it sometimes is that you have to write some
script wrappers around things to get dynamic updates (e.g.,
ppp linkup scripts or dhcpd.conf running external scripts on route
changes).
-Dave
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science
http://www.angio.net/
I do not accept unsolicited commercial email. Do not spam me.
__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html