Einfaches ipfw Script

Script

vi firewall.open

ipfw=/sbin/ipfw

$ipfw -f flush
$ipfw add allow ip from any to any via lo0
$ipfw add deny ip from any to 127.0.0.0/8
$ipfw add deny ip from 127.0.0.0/8 to any
$ipfw add allow ip from any to any

very simple but not to forget, at least localhost is 'secure'.

nun der punkt ist, setze ich einen server ein oder verstecke ich hinter meinem 'server' ein netzerk.... unter FreeBSD nennen wir das NAT (Network Adress Translation), dann fuegen wir ein:

 $ipfw add allow ip from any to any via lo0
 $ipfw add deny ip from any to 127.0.0.0/8
 $ipfw add deny ip from 127.0.0.0/8 to any
+$ipfw add divert natd ip from any to any
 $ipfw add allow ip from any to any

nat in /etc/servies hat den port 8668, warum weshalb und wieso sprengt den rahmen =)

DESCRIPTION
Divert sockets are similar to raw IP sockets, except that they can be
bound to a specific divert port via the bind(2) system call.  The IP
address in the bind is ignored; only the port number is significant.  A
divert socket bound to a divert port will receive all packets diverted to
that port by some (here unspecified) kernel mechanism(s).  Packets may
also be written to a divert port, in which case they re-enter kernel IP
packet processing.

Damit haben wir eine einfache Firewall geschaffen, die ihren den Namen Firewall sicherlich so nicht verdient.

(...to be complex IPFW or som3 Dummynet)