Lines Matching full:to

13 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 A Firewall is most commonly used to protect an internal network
35 are also used to prevent outside entities from spoofing internal
36 IP addresses and to isolate services such as NFS or SMBFS (Windows
41 firewalling system also has the capability to limit bandwidth using
43 This feature can be useful when you need to guarantee a certain
47 office T1 (1.5 MBits/s), you may wish to bandwidth-limit all other
48 T1 traffic to 1 MBit/s in order to reserve at least 0.5 MBits
52 you might want to limit bandwidth to prevent excessive bandwidth
57 firewalls may be used to divert packets or change the next-hop
58 address for packets to help route them to the correct destination.
59 Packet diversion is most often used to support NAT (network
61 a private IP space to make connections to the outside for browsing
64 Constructing a firewall may appear to be trivial, but most people
66 The most common mistake is to create an exclusive
73 firewalls but a tad more difficult to build properly.
75 second most common mistake is to blackhole everything except the
76 particular port you want to let through.
77 TCP/IP needs to be able
78 to get certain types of ICMP errors to function properly - for
79 example, to implement MTU discovery.
81 system daemons make reverse connections to the
83 service in an attempt to authenticate the user making a connection.
84 Auth is rather dangerous but the proper implementation is to return
90 You do not need to create a custom kernel to use the IP firewalling features.
106 This can prevent you from being able to access your system if you
108 It is also quite common to
109 update a kernel to a new release and reboot before updating
123 Still, it is a good option to use
124 while getting up to speed with
131 which allows you to use the firewall to divert packets to a user program
132 and is necessary if you wish to use
134 to give private internal networks access to the outside world.
135 If you want to be able to limit the bandwidth used by certain types of
138 option must be used to enable
144 fxp0 is connected to the 'exposed' LAN.
151 While it is not relevant to the example, 10.0.1.x is
155 In this example we want to isolate all three LANs from the Internet
156 as well as isolate them from each other, and we want to give all
157 internal addresses access to the Internet through a NAT gateway running
160 is given two Internet-exposed addresses on fxp0 in addition to an
172 exposed IP addresses would be the ones you wish to expose to the
175 It is important to note that the 10.0.0.x network in our example
185 risk and force everything coming in via LAN0 to go through
218 # 192.100.5.x represents IP addresses exposed to the Internet
238 # NOT SHOWN:  The INTERNET ROUTER must contain rules to disallow
240 # to protect the dual-homed 10.0.0.x block.  Exposed hosts are
242 # exposed services to exposed IPs but can safely bind internal
243 # services to internal IPs.
246 # IP addresses to external IP addresses and routing them to natd, which
248 # back to natd from the outside world must also be routed to natd using
249 # rule 00301.  To make the example interesting, we note that we do
250 # NOT have to run internal requests to exposed hosts through natd
253 # of course do not have to route internal<->internal traffic through
254 # natd since those hosts know how to route our 10. internal network.
261 add 00290 skipto 1000 ip from 10.0.0.0/8 to 192.100.5.0/24
262 add 00300 divert 8668 ip from 10.0.0.0/8 to not 10.0.0.0/8
263 add 00301 divert 8668 ip from not 10.0.0.0/8 to 192.100.5.5
265 # Short cut the rules to avoid running high bandwidths through
271 # hole but may be necessary to avoid overloading your firewall.
272 # If you are worried, you can move the rule to after the spoof
275 add 01000 allow tcp from any to any established
276 add 01001 allow all from any to any out via fxp0
277 add 01001 allow all from any to any out via fxp1
278 add 01001 allow all from any to any out via fxp2
296 # compromised?).  If you want full restrictions to apply
300 # If you want to isolate LAN1 and LAN2, but still want
301 # to give exposed hosts free reign with each other, get
305 #add 01010 allow all from 10.0.0.0/8 to 10.0.0.0/8
306 #add 01011 allow all from 192.100.5.0/24 to 192.100.5.0/24
312 # access to specific services running on the firewall itself.
313 # In this case we assume LAN1 needs access to filesharing running
317 add 01012 allow tcp from 10.0.1.0/8 to 10.0.1.1 139
318 add 01012 allow udp from 10.0.1.0/8 to 10.0.1.1 137,138
320 # GENERAL SERVICES ALLOWED TO CROSS INTERNAL AND EXPOSED LANS
325 # really only apply to services bound to exposed IPs.  We have
326 # to allow UDP fragments or larger fragmented UDP packets will
329 # If we want to expose high-numbered temporary service ports
331 # in this example 4000-65535, and we set to /etc/rc.conf variables
332 # on all exposed machines to make sure they bind temporary ports
333 # to the exposed port range (see rc.conf example above)
335 add 02000 allow udp from any to any 4000-65535,domain,ntalk,ntp
336 add 02500 allow udp from any to any frag
338 # Allow similar services for TCP.  Again, these only apply to
339 # services bound to exposed addresses.  NOTE: we allow 'auth'
341 # port.  This allows the machine being authed to respond with a
343 # when connecting to remote services that do reverse ident lookups.
347 # expect the TCP mtu discovery protocol to work properly so there
350 add 03000 allow tcp from any to any http,https
351 add 03000 allow tcp from any to any 4000-65535,ssh,smtp,domain,ntalk
352 add 03000 allow tcp from any to any auth,pop3,ftp,ftp-data
354 # It is important to allow certain ICMP types through, here is a list
355 # of general ICMP types.  Note that it is important to let ICMP type 3
369 # Sometimes people need to allow ICMP REDIRECT packets, which is
373 add 04000 allow icmp from any to any icmptypes 0,3,8,11,12,13,14
376 # otherwise do not bother.  Have a final deny rule as a safety to
380 add 05000 deny log ip from any to any frag
381 add 06000 deny all from any to any
384 We have mentioned multi-homing hosts and binding services to internal or
387 host with multiple IP addresses assigned to it, you can bind services run
388 on that host to specific IPs or interfaces rather than all IPs.
395 If the firewall is providing file sharing services to the
397 directive to specifically bind it to just the LAN1 IP address.
399 way the file sharing services will not be made available to other LAN
403 workstations, you can tell nfsd to bind specifically to 10.0.2.1.
405 can specify how to bind virtually every service on the machine and you