# Protecting the gateway using IPFW/NAT



## mikej83 (Oct 1, 2009)

I am running 7.2-p3 as my router/gateway for my home network. I followed the instructions in the handbook for setting up IPFW/NATD, and everything is working great.

One thing I would like to change though is the the gateway server appears to be publicly accessable. I am geting a lot of error messages about failed ssh login attempts from addresses outside my network. How can I block any traffic from getting to the server directly (instead of being passed through to my private network)?

I am using the standard OPEN rules:

```
00050 divert 8668 ip4 from any to any via re0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any
```


----------



## SirDice (Oct 1, 2009)

From the handbook:


> To select one of the default firewall types provided by FreeBSD, *select one by reading the /etc/rc.firewall file*


----------



## mikej83 (Oct 1, 2009)

From my original post:



			
				mikej83 said:
			
		

> I am using the standard OPEN rules


----------



## aragon (Oct 2, 2009)

mikej83 said:
			
		

> I am using the standard OPEN rules:




```
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open        - will allow anyone in
#   client      - will try to protect just this machine
#   simple      - will try to protect a whole network
#   closed      - totally disables IP services except via lo0 interface
#   workstation - will try to protect just this machine using statefull
#                 firewalling. See below for rc.conf variables used
#   UNKNOWN     - disables the loading of firewall rules.
#   filename    - will load the rules in the given filename (full path required)
```

Did you read this from rc.firewall (or SirDice's reply)?  Try one of those instead.


----------



## SirDice (Oct 2, 2009)

Or,even better, create your own rules.


----------



## dennylin93 (Oct 2, 2009)

SirDice said:
			
		

> Or,even better, create your own rules.



This is always the best option since every network is different.


----------



## mikej83 (Oct 2, 2009)

aragon said:
			
		

> ```
> # Define the firewall type in /etc/rc.conf.  Valid values are:
> #   open        - will allow anyone in
> #   client      - will try to protect just this machine
> ...



Try one of what, exactly? As I've already stated, I'm using the open ruleset (the first one in your list). Client and Simple also contain a divert rule, but they both have the same problem I originally stated. I fell back to using Open because it is the simplest of the bunch to start from, and I thought it would be good to customize from there. Also the example in the handbook uses the open ruleset.



			
				SirDice said:
			
		

> Or,even better, create your own rules.


Yes, that is what I am trying to do but I don't know how to craft a rule to do this. I thought someone here might have been able to help me with creating the rule, not copy/pasting information in that is not helpful.


----------



## DutchDaemon (Oct 2, 2009)

ipfw(8)


```
addr: [not] {any | [B]me[/B] | me6 | table(number[,value]) | addr-list |
             addr-set}

     any     matches any IP address.

     [B]me[/B]      matches any IP address configured on an interface in the system.
```


```
The absence of a particular option may be denoted with a `!'.
```

Now think along those lines and try something like '! me' instead of 'any'.


----------

