Changeset View
Changeset View
Standalone View
Standalone View
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Show First 20 Lines • Show All 2,250 Lines • ▼ Show 20 Lines | good_tcpo="22,25,37,53,80,443,110"</programlisting> | ||||
firewall script.</para> | firewall script.</para> | ||||
<programlisting>ipfw disable one_pass | <programlisting>ipfw disable one_pass | ||||
ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting> | ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting> | ||||
<para>The inbound <acronym>NAT</acronym> rule is inserted | <para>The inbound <acronym>NAT</acronym> rule is inserted | ||||
<emphasis>after</emphasis> the two rules which allow all | <emphasis>after</emphasis> the two rules which allow all | ||||
traffic on the trusted and loopback interfaces and after the | traffic on the trusted and loopback interfaces and after the | ||||
reassamble rule but <emphasis>before</emphasis> the | reassemble rule but <emphasis>before</emphasis> the | ||||
<literal>check-state</literal> rule. It is important that the | <literal>check-state</literal> rule. It is important that the | ||||
rule number selected for this <acronym>NAT</acronym> rule, in | rule number selected for this <acronym>NAT</acronym> rule, in | ||||
this example <literal>100</literal>, is higher than the first | this example <literal>100</literal>, is higher than the first | ||||
three rules and lower than the <literal>check-state</literal> | three rules and lower than the <literal>check-state</literal> | ||||
rule. Furthermore, because of the behavior of in-kernel | rule. Furthermore, because of the behavior of in-kernel | ||||
<acronym>NAT</acronym> it is advised to place a reassamble | <acronym>NAT</acronym> it is advised to place a reassemble | ||||
rule just before the first <acronym>NAT</acronym> rule and | rule just before the first <acronym>NAT</acronym> rule and | ||||
after the rules that allow traffic on trusted interface. | after the rules that allow traffic on trusted interface. | ||||
Normally, <acronym>IP</acronym> fragmentation should not | Normally, <acronym>IP</acronym> fragmentation should not | ||||
happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym> | happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym> | ||||
tunneling traffic it might and the reassmabling of fragments | tunneling traffic it might and the reassembling of fragments | ||||
is necessary before handing the complete packet over to the | is necessary before handing the complete packet over to the | ||||
in-kernel <acronym>NAT</acronym> facility.</para> | in-kernel <acronym>NAT</acronym> facility.</para> | ||||
<note> | <note> | ||||
<para>The reassemble rule was not needed with userland | <para>The reassemble rule was not needed with userland | ||||
&man.natd.8; because the internal workings of the | &man.natd.8; because the internal workings of the | ||||
<application>IPFW</application> <literal>divert</literal> | <application>IPFW</application> <literal>divert</literal> | ||||
action already takes care of reassambling packets before | action already takes care of reassembling packets before | ||||
delivery to the socket as also stated in &man.ipfw.8;.</para> | delivery to the socket as also stated in &man.ipfw.8;.</para> | ||||
<para>The <acronym>NAT</acronym> instance and rule number used | <para>The <acronym>NAT</acronym> instance and rule number used | ||||
in this example does not match with the default | in this example does not match with the default | ||||
<acronym>NAT</acronym> instance and rule number created by | <acronym>NAT</acronym> instance and rule number created by | ||||
<filename>rc.firewall</filename>. | <filename>rc.firewall</filename>. | ||||
<filename>rc.firewall</filename> is a script that sets up | <filename>rc.firewall</filename> is a script that sets up | ||||
the default firewall rules present in &os;.</para></note> | the default firewall rules present in &os;.</para></note> | ||||
<programlisting>$cmd 005 allow all from any to any via xl0 # exclude LAN traffic | <programlisting>$cmd 005 allow all from any to any via xl0 # exclude LAN traffic | ||||
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic | $cmd 010 allow all from any to any via lo0 # exclude loopback traffic | ||||
$cmd 099 reass all from any to any in # reassamble inbound packets | $cmd 099 reass all from any to any in # reassemble inbound packets | ||||
$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets | $cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets | ||||
# Allow the packet through if it has an existing entry in the dynamic rules table | # Allow the packet through if it has an existing entry in the dynamic rules table | ||||
$cmd 101 check-state</programlisting> | $cmd 101 check-state</programlisting> | ||||
<para>The outbound rules are modified to replace the | <para>The outbound rules are modified to replace the | ||||
<literal>allow</literal> action with the | <literal>allow</literal> action with the | ||||
<literal>$skip</literal> variable, indicating that rule | <literal>$skip</literal> variable, indicating that rule | ||||
processing will continue at rule <literal>1000</literal>. The | processing will continue at rule <literal>1000</literal>. The | ||||
▲ Show 20 Lines • Show All 1,951 Lines • Show Last 20 Lines |