A real-life example

This section lists a complete example for a set of firewall filters on a Linux system acting as a gateway between the Internet and a private network. Note that this example is only included for illustrative purposes. Although it will protect the internal network to some extend, we strongly discourage to consider this to be a complete, robust firewall solution.

The example applies to a gateway system (gw.foo.com) connected to the Internet using interface 192.168.22.15 and to an internal network (192.168.37.0) via interface 192.168.37.1. The system is as a public WWW and ftp server, it can send and receive mail, it acts as a mail relay host for the internal network, and it is the primary DNS server for the foo.com domain.

Hosts on the private network can directly use telnet, WWW, ftp, gopher and WAIS services on the Internet (which is not a recommended firewall architecture). Also, ICMP traffic is allowed without any restrictions (e.g., to enable ping). Note that traceroute will not work, because this is using UDP packets to some unpriviliged ports.

   # Some definitions for easy maintenance.
   LOCALHOST="gw.foo.com"
   IFEXTERN="192.168.22.15"
   IFINTERN="192.168.37.1"
   LOCALNET="192.168.37.0/24"
   ANYWHERE="0.0.0.0/0"
   UNPRIVPORTS="1024:65535"

   # ====== Basic rules.

   # Sure we're paranoid, but are we paranoid enough?
   ipfwadm -I -p deny
   ipfwadm -O -p deny
   ipfwadm -F -p deny

   # Handle spoofed packets.
   ipfwadm -I -a deny -V $IFEXTERN -S $LOCALNET -D ANYWHERE
   ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN -D ANYWHERE

   # Unlimited traffic within the local network.
   ipfwadm -I -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE
   ipfwadm -O -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE

   # Unlimited ICMP traffic (not recommended).
   ipfwadm -I -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
   ipfwadm -O -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
   ipfwadm -F -a accept -P icmp -S $ANYWHERE -D $ANYWHERE

   # ====== External use of our system.

   # Public access for e-mail, ftp, WWW, and DNS.
   ipfwadm -I -a accept -P tcp \
           -S $ANYWHERE -D $LOCALHOST smtp ftp www domain
   ipfwadm -I -a accept -P udp \
           -S $ANYWHERE -D $LOCALHOST domain
   ipfwadm -I -a accept -k -P tcp \
           -S $ANYWHERE -D $LOCALHOST ftp-data
   ipfwadm -O -a accept -P tcp -S $LOCALHOST smtp ftp \
              ftp-data www domain -D $ANYWHERE
   ipfwadm -O -a accept -P udp \
           -S $LOCALHOST domain -D $ANYWHERE

   # ====== Internal use of the Internet.

   # Outgoing packets.
   ipfwadm -O -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE smtp ftp ftp-data www telnet gopher \
              z3950 domain
   ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS \
           -D $ANYWHERE smtp ftp ftp-data www telnet gopher \
              z3950 domain
   ipfwadm -O -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE z3950
   ipfwadm -O -a accept -P udp -S $LOCALHOST $UNPRIVPORTS \
           -D $ANYWHERE z3950 domain
   ipfwadm -F -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE ftp ftp-data www telnet gopher z3950
   ipfwadm -F -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE z3950

   # Incoming packets.
   ipfwadm -I -a accept -k -P tcp \
           -S $ANYWHERE ftp www telnet gopher z3950 domain \
           -D $LOCALNET $UNPRIVPORTS
   ipfwadm -I -a accept -k -P tcp \
           -S $ANYWHERE ftp www telnet gopher z3950 domain \
           -D $IFEXTERN $UNPRIVPORTS
   ipfwadm -I -a accept -P tcp \
           -S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
   ipfwadm -I -a accept -P tcp \
           -S $ANYWHERE ftp-data -D $IFEXTERN $UNPRIVPORTS
   ipfwadm -I -a accept -P udp \
           -S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS
   ipfwadm -I -a accept -P udp -S $ANYWHERE z3950 domain \
           -D $LOCALHOST $UNPRIVPORTS
   ipfwadm -F -a accept -k -P tcp \
           -S $ANYWHERE ftp www telnet gopher z3950 \
           -D $LOCALNET $UNPRIVPORTS
   ipfwadm -F -a accept -P tcp \
           -S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
   ipfwadm -F -a accept -P udp \
           -S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS

Some further remarks about the above example:

• The variable $LOCALHOST should only be used if this name will map to the two corresponding IP addresses, $IFINTERN and $IFEXTERN, via the /etc/hosts file, without consulting a nameserver. The ipfwadm command will automatically create the necessary number of filter rules when a given hostname results in more than one IP address.
• A few rules are needed for all hosts on the internal network and for the gateway system itself. In these cases, two rules are created, one with $LOCALNET and one with $IFEXTERN, together covering all needed addresses.
• Adding some additional services, like rlogin, requires allowing a wider range of ports than defined in $UNPRIVPORTS. For these kind of services, the clients use ports below 1024.

ÿÿÿ