This section lists a complete example for a set of firewall filters on a Linux system acting as a gateway between the Internet and a private network. Note that this example is only included for illustrative purposes. Although it will protect the internal network to some extend, we strongly discourage to consider this to be a complete, robust firewall solution.
The example applies to a gateway system (gw.foo.com) connected to the Internet using interface 192.168.22.15 and to an internal network (192.168.37.0) via interface 192.168.37.1. The system is a public WWW and ftp server, it can send and receive mail, it acts as a mail relay host for the internal network, and it is the primary DNS server for the foo.com domain.
Hosts on the private network can directly use telnet, WWW, ftp, gopher and WAIS services on the Internet (which is not a recommended firewall architecture). Also, ICMP traffic is allowed without any restrictions (e.g., to enable ping). Note that traceroute will not work, because this is using UDP packets to some unpriviliged ports.
# Some definitions for easy maintenance.
LOCALHOST="gw.foo.com"
LOCALNET="192.168.37.0/24"
IFEXTERN="192.168.22.15"
IFINTERN="192.168.37.1"
ANYWHERE="any/0"
UNPRIVPORTS="1024:65535"
# ====== Basic rules.
# Sure we're paranoid, but are we paranoid enough?
ipfwadm -I -p deny
ipfwadm -O -p deny
ipfwadm -F -p deny
# Refuse spoofed packets.
ipfwadm -I -a deny -V $IFEXTERN -S $LOCALNET
ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN
# Unlimited traffic within the local network.
ipfwadm -I -a accept -V $IFINTERN
ipfwadm -O -a accept -V $IFINTERN
# Unlimited ICMP traffic (not recommended).
ipfwadm -I -a accept -P icmp
ipfwadm -O -a accept -P icmp
ipfwadm -F -a accept -P icmp
# ====== External use of our system.
# Public access for e-mail, ftp, WWW, and DNS.
ipfwadm -I -a accept -P tcp \
-D $LOCALHOST smtp ftp www domain
ipfwadm -I -a accept -P udp -D $LOCALHOST domain
ipfwadm -I -a accept -k -P tcp \
-D $LOCALHOST ftp-data
ipfwadm -O -a accept -P tcp -S $LOCALHOST smtp ftp \
ftp-data www domain
ipfwadm -O -a accept -P udp -S $LOCALHOST domain
# ====== Internal use of the Internet.
# Outgoing packets.
ipfwadm -O -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE smtp ftp ftp-data www telnet gopher \
z3950 domain
ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS \
-D $ANYWHERE smtp ftp ftp-data www telnet gopher \
z3950 domain
ipfwadm -O -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE z3950
ipfwadm -O -a accept -P udp -S $LOCALHOST $UNPRIVPORTS \
-D $ANYWHERE z3950 domain
ipfwadm -F -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE ftp ftp-data www telnet gopher z3950
ipfwadm -F -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE z3950
# Incoming packets.
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE ftp www telnet gopher z3950 domain \
-D $LOCALNET $UNPRIVPORTS
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE ftp www telnet gopher z3950 domain \
-D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE ftp-data -D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P udp \
-S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS
ipfwadm -I -a accept -P udp -S $ANYWHERE z3950 domain \
-D $LOCALHOST $UNPRIVPORTS
ipfwadm -F -a accept -k -P tcp \
-S $ANYWHERE ftp www telnet gopher z3950 \
-D $LOCALNET $UNPRIVPORTS
ipfwadm -F -a accept -P tcp \
-S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
ipfwadm -F -a accept -P udp \
-S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS
Some further remarks about the above example:
Copyright © 1996 by X/OS Experts in Open Systems BV. All rights reserved.