opus
August 23rd, 2003, 23:55
What am I missing?
Network:
Internet--------Zyxel Router----------------IPFW/NAT gateway------------------Workstations
192.168.1.1 192.168.1.10-outside interface 192.168.2.0/24
192.168.2.1-inside interface
##################
# Delete all rules
##################
-f -q flush
##############################################
# Allow loopback and prevent loopback spoofing
##############################################
add 100 allow ip from any to any via lo0
add 200 deny log ip from any to 127.0.0.0/8
add 300 deny log ip from 127.0.0.0/8 to any
add 400 deny log tcp from any to any in tcpflags syn,fin
add 500 deny log ip from any to any frag in
add 600 allow icmp from any to any
#####
# NAT
#####
add 1000 divert natd all from any to any via dc0
################
# Stateful rules
################
add 2000 check-state
#add 2100 reset tcp from any to any established in
add 2200 allow ip from 192.168.2.0/24 to any keep-state
add 2300 allow ip from 192.168.1.0/24 to any keep-state
###################
# Incoming Services
###################
add 3000 allow tcp from any to any 80 keep-state
add 3100 allow tcp from any to any 25 keep-state
add 3200 allow tcp from any to any 21 keep-state
######################
# Nice logged denyness
######################
add 5000 reset log tcp from any to any
add 5100 unreach port log udp from any to any
add 5200 reset log all from any to any
Default to deny
Network:
Internet--------Zyxel Router----------------IPFW/NAT gateway------------------Workstations
192.168.1.1 192.168.1.10-outside interface 192.168.2.0/24
192.168.2.1-inside interface
##################
# Delete all rules
##################
-f -q flush
##############################################
# Allow loopback and prevent loopback spoofing
##############################################
add 100 allow ip from any to any via lo0
add 200 deny log ip from any to 127.0.0.0/8
add 300 deny log ip from 127.0.0.0/8 to any
add 400 deny log tcp from any to any in tcpflags syn,fin
add 500 deny log ip from any to any frag in
add 600 allow icmp from any to any
#####
# NAT
#####
add 1000 divert natd all from any to any via dc0
################
# Stateful rules
################
add 2000 check-state
#add 2100 reset tcp from any to any established in
add 2200 allow ip from 192.168.2.0/24 to any keep-state
add 2300 allow ip from 192.168.1.0/24 to any keep-state
###################
# Incoming Services
###################
add 3000 allow tcp from any to any 80 keep-state
add 3100 allow tcp from any to any 25 keep-state
add 3200 allow tcp from any to any 21 keep-state
######################
# Nice logged denyness
######################
add 5000 reset log tcp from any to any
add 5100 unreach port log udp from any to any
add 5200 reset log all from any to any
Default to deny