# FreeBSD 8.1 & IPFW & NATD - rules review



## ruthr (Dec 9, 2010)

Hello everyone

So I made firewall rules that work so I asked someone to make a little comment and give any advice on how to better optimize the rules.

wlan1 - outIF / natif - 10.55.x.x/24
wlan0 - localIF - 10.42.1.x/24

10.42.1.14 via nat
ssh, dns, www, irc (and others from rule below) ports must be available through wlan0 and wlan1


```
fwcmd="ipfw -q"

natif=wlan1
inif=wlan0

        $fwcmd -f flush

        
        $fwcmd add 50 divert natd ip4 from any to me via $natif 
        $fwcmd add 55 check-state

	$fwcmd add 100 pass all from any to any via lo0
	$fwcmd add 110 deny all from any to 127.0.0.0/8
	$fwcmd add 120 deny ip from 127.0.0.0/8 to any
	$fwcmd add 130 deny all from any to ::1
	$fwcmd add 140 deny all from ::1 to any
	# DAD
	$fwcmd add 150 pass ipv6-icmp from :: to ff02::/16
	# RS, RA, NS, NA, redirect...
	$fwcmd add 160 pass ipv6-icmp from fe80::/10 to fe80::/10
	$fwcmd add 170 pass ipv6-icmp from fe80::/10 to ff02::/16

	# Allow ICMPv6 destination unreach
	$fwcmd add 180 pass ipv6-icmp from any to any icmp6types 1

	# Allow NS/NA/toobig (don't filter it out)
	$fwcmd add 190 pass ipv6-icmp from any to any icmp6types 2,135,136
        
        $fwcmd add 195 deny all from any to any frag
        
	$fwcmd add 200 pass tcp from any to me 22,80,411,5222,6667,6697,7000,9091  
	$fwcmd add 210 pass udp from any to me 53 in 
	$fwcmd add 211 pass tcp from any to me 53 in 
	$fwcmd add 220 pass icmp from any to me in 
	$fwcmd add 230 pass all from me to any out keep-state
	$fwcmd add 4100 deny all from any to any
	

        $fwcmd add 04000 skipto 61000 ip from 10.42.1.14 to any in via $inif keep-state
        $fwcmd add 04001 skipto 61001 ip from 10.42.1.11 to any in via $inif keep-state


        $fwcmd add 61000 divert natd ip4 from 10.42.1.14 to any out via $natif
        $fwcmd add 61001 divert natd ip4 from 10.42.1.11 to any out via $natif

        $fwcmd add 65000 pass all from any to any
```


----------



## qsecofr (Dec 12, 2010)

You might optionally want to log (up to a limit) some denied packets.  It might help troubleshoot if your ruleset blocks some legitimate traffic inadvertently.


----------



## DutchDaemon (Dec 13, 2010)

It usually works better when you say what does or does not work, instead of dumping a ruleset and asking 'what people think'. We don't know your circumstances, wishes and policies, so we can't do your homework for you (nor would we want to, probably)...


----------



## Pushrod (Dec 13, 2010)

Use [CMD=""]ipfw show[/CMD] to see the rule count hits, and tune the ruleset in such a way that rules hit most often are near the top. Of course, make sure that the rules still match the way you want them to after the fact.


----------



## ruthr (Dec 14, 2010)

There is one problem in particular if it is possible to host 10.42.1.14 goes through NAT (now works OK) and sees only allowed ports on firewall and not evry open like now ..


----------

