The most important responsibility of the gateway is to firewall our three separate network segments. We will again use the ipfw functionality that was introduced in Section 4.1.5.1. See that section for a basic introduction to the functioning of ipfw.

The configuration script for the gateway is significantly more complex that the one laid out for use on the clients. It has to protect not only the gateway itself, but also ensure separation between the networks while allowing vital services on the gateway to be accessed by local users. This script is also much more aggressive in preventing abusive behavior since it will be the frontline against often hazardous Internet traffic.

We will examine the script section by section. To build the completed script, concatenate each of the example sections that follow into /etc/.firewall.conf.

The first line sets the fwcmd variable equal to the path and name of the firewall control program.

fwcmd="/sbin/ipfw"

These four variables correspond to your outside interface, network, netmask, and IP address, respectively. Change these to the correct values.

# set these to your outside interface network and netmask and ip
oif="dc0"
onet="192.0.2.0"
omask="255.255.255.0"
oip="192.0.2.230"

These variables do the same thing for the wireless network (variables starting with “w”) and for the internal wired network (variables starting with “i”). Change these if you are going to use different IP ranges on these networks.

# set these to your inside interface networks, netmasks, and IPs
wif="dc0"
wnet="192.168.0.0"
wmask="255.255.255.0"
wip="192.168.0.1"

iif="dc1"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.1"

These rules prevent traffic that appears to be from one of our three networks but actually originates on the wrong network. For example, a packet with the source IP of a wireless client should not come into the gateway from the wired network or the external network.

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${wnet}:${wmask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${wif}
${fwcmd} add deny all from ${inet}:${imask} to any in via ${wif}
${fwcmd} add deny all from ${wnet}:${wmask} to any in via ${iif}

These rules are the same as those found in the simple firewall section of the default /etc/rc.firewall. They block incoming packets from the Internet destined to improper network IP ranges such as non-routable, multicast, and broadcast IPs.

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

This rule tells the firewall that at this point in the processing, all packets that are being handled by the external interface should be sent to the NAT daemon for IP address translation.

${fwcmd} add divert natd all from any to any via ${oif}

Very similar in function to the block of rules above the NAT divert, these rules prevent packets originating from improper networks that come in from the external interface. This is done after the NAT translation so our internal network traffic is not inadvertently blocked by the RFC1918 filters.

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

This rule allows packets that are part of an established TCP session to pass through the gateway.

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

This allows UDP DNS traffic to and from a caching DNS server on the gateway. If you are not going to put a caching DNS server on the gateway, don’t bother with these four rules.

# Allow access to our DNS
${fwcmd} add pass udp from any to ${wip} 53
${fwcmd} add pass udp from ${wip} 53 to any
${fwcmd} add pass udp from any to ${iip} 53
${fwcmd} add pass udp from ${iip} 53 to any

This rule allows the gateway itself to make DNS queries to the outside world. The keep-state directive tells it to expect a matching answer that should be passed through the firewall.

# Allow DNS queries out to the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state

This rule allows connections to the SSH daemon from anywhere. This will allow secure connections to the gateway for administration from anywhere.

# Allow SSH connections
${fwcmd} add pass tcp from any to ${oip} 22
${fwcmd} add pass tcp from any to ${wip} 22
${fwcmd} add pass tcp from any to ${iip} 22

Some daemons, namely sendmail, will query ident on hosts that attempt to use their service. By rejecting these requests rather than dropping them silently, the daemons will not have to wait for the ident query to timeout. This speeds up connections to these daemons, such as sending mail.

${fwcmd} add reset tcp from any to any 113

Attempts to start new TCP connections originating from the Internet should be rejected and logged.

# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup

These three rules allow TCP connections originating from the wireless network, wired network, or gateway to be made. The setup directive tells the firewall to add the connection to the state table so that packets in the session are passed by the pass ... established rule above. Note that connections between the wired and wireless networks are not authorized by these rules.

# Allow setup of other TCP connections
${fwcmd} add pass tcp from ${wnet}:${wmask} to any out via ${oif} setup
${fwcmd} add pass tcp from ${inet}:${imask} to any out via ${oif} setup
${fwcmd} add pass tcp from ${oip} to any out via ${oif} setup

This allows ICMP echo reply, source quench, time exceeded, destination unreachable, and parameter problem messages to be passed.

# Allow ICMP
${fwcmd} add pass icmp from any to any icmptypes 0,3,4,11,12

Everything else is denied by default, unless the IPFIREWALL_DEFAULT_TO_ACCEPT option is set in the kernel configuration. This option should not be set on the gateway.

Place the completed script in /etc/firewall.conf, mark it as executable using chmod, and call it from the rc.local file. It will then be called when the system starts up.

If you find after a while that all the spurious traffic with spoofed source IP addresses is filling up your logs, consider removing the log command from some of the rules in this ruleset.