moin moin
ich kenne mich zwar mit iptables ein wenig aus, aber mit ipfw sieht es ziemlich mau aus. von meinem ibook aus möchte ich nur verkehr über das tunnel-device von open-vpn erlauben.
die iptables regeln würden demnach so aussehen.
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
da der open-vpn traffic über udp-port 5000 läuft, für die wlan-karte nur udp 5000 erlauben.
iptables -A INPUT -i wlan0 -p udp --dport 5000 -j ACCEPT
iptables -A INPUT -i wlan0 -j DROP
iptables -A OUTPUT -o wlan -p udp --dport 5000 -j ACCEPT
iptables -A OUTPUT -o wlan0 -j DROP
iptables -A FORWARD -i wlan0 -j DROP
auf dem mac habe ich jetzt ein fertiges script entsprechend angepasst, siehe anhang. meine frage nun, hab ich noch was übersehen oder irgendeinen schnitzer drin?
ps: oif ist das tunnel-device und iif die wlan-karte.
pps: das mit der datei anhängen, klappt mit safari irgendwie nicht
#!/bin/sh
# Originally found at http://www.bsdtoday.com/2000/December/Features359.html
# By Peter Brezny
# Modifications done to support dynamic IP and default OS X configuration
# by D. Cote, available at: http://www.novajo.ca/firewall.html
#
# Simple stateful network firewall rules for IPFW with NAT v. 1.01
# See bottom of file for instructions and description of rules
# Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great
# deal of help from freebsd-security@freebsd.org). Specific questions
# about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or
# more general security questions to freebsd-security@freebsd.org.
# Use this script at your own risk.
#
# if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet
# calculator can help you. /usr/ports/net/ipsc-0.4.2
#
############################
# Make sure logging is enabled (disabled by default)
if [ `/usr/sbin/sysctl -n net.inet.ip.fw.verbose` == 0 ] ; then
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
fi
#
# Define your variables
#
fwcmd="/sbin/ipfw" # leave as is if using ipfw
oif="tun0" # set to outside interface name (for DSL pppoe0 in 10.0.x,
# pppoe0 in > 10.1.x)
# set following line to outside ip address
# or leave as is for dynamic IP address)
oip=192.168.2.24
#oip=`/sbin/ifconfig $oif| grep -w inet | awk '{ print $2 }'`;
#onwr="$oip/8" #set to outside network range
iif="en0" #set to internal interface name
inwr="192.168.1.0/16" #set to internal network range
iip="192.168.1.4" #set to internal ip address
#
# End of required user input if you only intend to allow ssh connections to
# this box from the outside. If other services are required, edit line 96
# as necessary.
#
###
# Rules with descriptions
#
# Basic rules: there is no need to modify anything in this first section.
# This is the bare minimum to block simple spoofing.
###
#
# Force a flush of the current firewall rules before we reload
$fwcmd -f flush
# Allow your loop back to work
$fwcmd add allow all from any to any via lo0
# Prevent spoofing of your loopback
$fwcmd add deny log all from any to 127.0.0.0/8
#
# Stop spoofing of your internal network range
$fwcmd add deny log ip from $inwr to any in via $oif
#
# Stop spoofing from inside your private ip range
$fwcmd add deny log ip from not $inwr to any in via $iif
#
# Stop private networks (RFC1918) from entering the outside interface.
$fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
# $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
# $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
# $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
# $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
# $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif
#
# Stop draft-manning-dsua-01.txt nets on the outside interface
# $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif
# $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif
# $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif
# $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif
# $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif
# $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif
# $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif
# $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif
# $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif
# $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif
#
###
# User rules: Some of the rules below are dependent on your configuration.
# They might require some adjustments. They are emphasized with the
# word "ADJUST".
###
# ADJUST: If you use NATD (for your 192.168.0.1 interface for instance)
# you must uncomment the following. If you don't or if you don't know,
# make sure next rule (divert) is commented.
# Divert all packets through natd
# $fwcmd add divert natd all from any to any via $oif
#
# Allow all established connections to persist (setup required
# for new connections).
# $fwcmd add allow tcp from any to any established
$fwcmd add allow from any to $oip
$fwcmd add allow from $oip to any
$fwcmd add allow udp 5000 from any to $iip
$fwcmd add deny from any to $iip
$fwcmd add allow udp 5000 from $iip to any
$fwcmd add deny from $iip to any
#
# ADJUST: Allow incoming requests to reach the various services.
# To allow multiple services you may list them separated
# by a coma, for example ...to $oip 22,25,110,80 setup
# If you have an internal interface (e.g. if you do not run NATd)
# uncomment the second line to enable AppleTalk on it.
# $fwcmd add allow tcp from any to $oip ftp,ssh,http,svrloc,afpovertcp setup
# $fwcmd add allow tcp from $oip to $iip 548 setup
#
# NOTE: you may have to change your client to passive or active mode
# to get ftp to work once enabled, only ssh, ftp and appletalk enabled by default.
# 21: ftp enabled by default
# 22: ssh enabled by default
# 23: telnet
# 25: smtp
# 80: http enabled by default
# 110: pop
# 143: imap
# 80: http
# 427: svrloc (?)
# 443: ssl
# 548: appleshare enabled by default
# 2401: cvs
# 5900-5909: VNC server, screen 0 through 9
# 6669: Limewire
#
#
# Allow icmp packets for diagnostic purposes (ping traceroute)
# you may wish to leave commented out.
$fwcmd add allow icmp from any to any
#
# Allow required ICMP
$fwcmd add allow icmp from any to any icmptypes 3,4,11,12
# Politely and quickly rejects AUTH requests (e.g. email and ftp)
$fwcmd add reset tcp from any to $oip 113
#
# Checks packets against dynamic rule set below.
$fwcmd add check-state
#
# Allow any traffic from firewall ip to any going out the
# external interface
# $fwcmd add allow ip from $oip to any keep-state out via $oif
#
# Allow any traffic from local network to any passing through the
# internal interface
# $fwcmd add allow ip from $inwr to any keep-state via $iif
#
# Deny everything else
$fwcmd add 65435 deny log ip from any to any
#
################################################## ###
#
# End firewall script.
Gruß HL
Lesezeichen