WLAN Firewall

From: Christoph Schumacher <schumi-news(at)gmx.de>
Date: Wed, 18 Aug 2004 16:30:28 +0200



Hallo Leute 



Ich bin gerade dabei mir ein WLAN aufzubauen, das ich über eine FreeBSD


VPN verwalten will. Dazu will ich natürlich alles dicht machen, bis auf


DNS, SSH und VPN. Leider klappt das nicht so wie ich will. Ich kann mich


per pptp auf dem Server einloggen , aber auch Samba-Zugriffe machen (


was nicht sein soll ). Was ist falsch in meiner Konfiguration ??


Anmerkung : wip ist wlan ( CrossKabel2AP ), iif ist intern, oif ist DSL



Danke für die Hilfe ......



#!/bin/sh


##!/usr/bin/nohup /bin/sh



#


# Setup system for firewall service.


#



# setting up ipfw command


fwcmd="/sbin/ipfw -q"



#IIP=$(/sbin/ifconfig tun0 |grep -v 192.168.0.0 |  grep ask | awk


'{print $2}'|cut -d ':' -f2)



# this sets outside ip of the dial up interface by asking ppp


IIP=$(pppctl -p geheim 2001 show ipcp |grep "My side" | awk '{print


$3}'| cut -d ',' -f1) onet=`echo ${IIP} |  sed 's/\([0-9]*\)$/0/'`


oif="tun0" omask="255.255.255.255" oip=${IIP}



#echo Network : IP-Addresse ${IIP}


#echo Network : ${onet} mit Addresse ${oip}


#exit



# set these to your inside interface network and netmask and ip


iif="fxp0" inet="192.168.100.0" imask="255.255.255.0"


iip="192.168.100.2"



# set these to your wlan interface network and netmask and ip wif="rl1"


wnet="192.168.200.0" wmask="255.255.255.0" wip="192.168.200.2"



setup_loopback () {


        ############


        # Only in rare cases do you want to change these rules


        #


        ${fwcmd} add 100 pass all from any to any via lo0


        ${fwcmd} add 200 deny all from any to 127.0.0.0/8


        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any



        ${fwcmd} add 400 pass all from any to any via ${iif}


}



############


# Flush out the list before we begin.


#


${fwcmd} -f flush



############ ############



setup_loopback



# Stop spoofing


${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}


#${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}


${fwcmd} add deny all from ${inet}:${imask} to any in via ${wif}



# Stop RFC1918 nets on the outside interface


${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add


deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from


any to 192.168.0.0/16 via ${oif} in



${fwcmd} add deny all from any to 10.0.0.0/8 via ${wif} ${fwcmd} add


deny all from any to 172.16.0.0/12 via ${wif} #${fwcmd} add deny all


from any to 192.168.0.0/16 via ${wif} in



# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,


# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) #


on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via


${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}


${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add


deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from


any to 240.0.0.0/4 via ${oif}



${fwcmd} add deny all from any to 0.0.0.0/8 via ${wif}


${fwcmd} add deny all from any to 169.254.0.0/16 via ${wif} ${fwcmd} add


deny all from any to 192.0.2.0/24 via ${wif} ${fwcmd} add deny all from


any to 224.0.0.0/4 via ${wif} ${fwcmd} add deny all from any to


240.0.0.0/4 via ${wif}



# common stuff


# Allow setup of any other TCP connection


${fwcmd} add pass tcp from any to any setup



# Allow TCP through if setup succeeded


${fwcmd} add pass tcp from any to any established



# Allow IP fragments to pass through


${fwcmd} add pass all from any to any frag



# special stuff


# Allow setup of incoming email


${fwcmd} add pass tcp from any to ${oip} 25 setup



# Allow DNS queries out in the world


${fwcmd} add pass udp from ${oip} to any 53 keep-state



# Allow NTP queries out in the world


${fwcmd} add pass udp from ${oip} to any 123 keep-state



# Allow access to our DNS


#${fwcmd} add pass tcp from any to ${iip} 53 setup


#${fwcmd} add pass udp from any to ${iip} 53


#${fwcmd} add pass udp from ${iip} 53 to any


${fwcmd} add pass tcp from any to ${wip} 53 setup


${fwcmd} add pass udp from any to ${wip} 53


${fwcmd} add pass udp from ${wip} 53 to any



# Allow access to our WWW


${fwcmd} add pass tcp from any to ${oip} 80 setup


${fwcmd} add pass tcp from any to ${wip} 80 setup



# config file.



# Allow vpn access for wlan


#${fwcmd} add pass ip from 192.168.20.0:255.255.255.0 to any out via


${oif} #${fwcmd} add pass ip from 192.168.20.0:255.255.255.0 to any in


${fwcmd} add pass tcp from any to any pptp via ${wif} setup ${fwcmd} add


pass gre from any to any via ${wif}



# Allow dhcpd out to wlan


${fwcmd} add allow udp from any 67 to ${wip}


${fwcmd} add allow udp from ${wip} to any 67


${fwcmd} add allow tcp from any 67 to ${wip}


${fwcmd} add allow tcp from ${wip} to any 67


${fwcmd} add allow udp from any 68 to ${wip}


${fwcmd} add allow udp from ${wip} to any 68


${fwcmd} add allow tcp from any 68 to ${wip}


${fwcmd} add allow tcp from ${wip} to any 68



# Allow access to our DONKEY


${fwcmd} add pass tcp from any to ${oip} 5662 setup


${fwcmd} add pass tcp from any to ${oip} 5660-5670 


${fwcmd} add pass udp from any to ${oip} 5660-5670 



# Allow access to starcraft/battle.net


#${fwcmd} add pass tcp from any 6112 to ${oip} setup


#${fwcmd} add pass tcp from any to any 6112 setup


#${fwcmd} add pass tcp from any 6112 to ${oip} setup


#${fwcmd} add pass tcp from any 6112 to ${oip} established #${fwcmd} add


pass tcp from any to ${oip} 6112-6119 in #${fwcmd} add pass tcp from any


to ${oip} 6112-6119 setup #${fwcmd} add pass tcp from any to ${oip}


6112-6119 established



#$fwcmd add allow udp from any to any 6112 out xmit tun0 #$fwcmd add


allow tcp from any to any 6112 out xmit tun0 #$fwcmd add allow udp from


any 6112 to any in recv tun0 #$fwcmd add allow tcp from any 6112 to any


in recv tun0



# Allow access to our SSH


${fwcmd} add pass tcp from any to ${oip} 22 setup


${fwcmd} add pass udp from any to ${oip} 22 setup


${fwcmd} add pass tcp from any to ${wip} 22 setup


${fwcmd} add pass udp from any to ${wip} 22 setup


# sftp


#${fwcmd} add pass tcp from any to ${oip} 115 setup


#${fwcmd} add pass udp from any to ${oip} 115 setup



# Allow access to our IMAPS


${fwcmd} add pass tcp from any to ${oip} 993 setup


${fwcmd} add pass udp from any to ${oip} 993 setup



# Allow ICQ connections out in the world


#${fwcmd} add pass udp from any 4000 to ${oip}


#${fwcmd} add pass udp from ${oip} to any 4000



# iSPQ Video Chat


#${fwcmd} add pass udp from any to ${oip} 2000-2003


#${fwcmd} add pass tcp from any to ${oip} 2000-2002



# iVisit


${fwcmd} add pass udp from any to ${oip} 9940 


${fwcmd} add pass udp from any to ${oip} 9943 



# Allow NTP queries out in the world


${fwcmd} add pass udp from any 123 to ${oip}


${fwcmd} add pass udp from ${oip} to any 123


 


# Allow ICMP (for ping and traceroute to work).  You may wish to #


disallow this, but I feel it suits my needs to keep them in. ${fwcmd}


add allow icmp from any to any via ${oif}



# check the traffic's state, let it in if we sent it, otherwise deny


#${fwcmd} add check-state #${fwcmd} add deny tcp from any to any in


established #${fwcmd} add allow ip from any to any out keep-state



# Reject&Log all setup of incoming connections from the outside ${fwcmd}


add deny log tcp from any to any in via ${oif} setup ${fwcmd} add deny


log tcp from any to any in via ${wif} setup



To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org


with "unsubscribe de-bsd-questions" in the body of the message


Received on Wed 18 Aug 2004 - 16:31:30 CEST













search this site