The statefull firewall rules can be used only for the rules that are meant to be used for communicating from the host host having the public IP to somebody else in the network. The statefull rules will not work for connections that are initiate from one of the natted addresses. The next example describes a simple box that has one public addresses and three jailed hosts running on top of it using private addresses from address space defined by RFC 1918.
ip=”69.147.83.4″
net=”69.147.83.0/27″
jailnet=”192.168.1.0/28″
www=”192.168.1.1″
smtp=”192.168.1.2″
dns=”192.168.1.3″# Restrict ports that can be used from jailed host
${fwcmd} add 100 skipto 1000 tcp from ${www} 80,443 to any established
${fwcmd} add 105 skipto 1000 tcp from ${www} to ${ip} 3306 setup keep-st
ate# Restrict ports that can be used from jailed host
${fwcmd} add 110 skipto 1000 tcp from ${smtp} 25 to any established
${fwcmd} add 120 skipto 1000 tcp from ${smtp} to any 25# Restrict ports that can be used from jailed host
${fwcmd} add 130 skipto 1000 tcp from ${dns} 53 to any
${fwcmd} add 140 skipto 1000 udp from ${dns} 53 to any
${fwcmd} add 150 skipto 1000 udp from ${dns} to any dst-port 53# Jails can talk with each other
${fwcmd} add 160 allow ip from 192.168.1.0/28 to 192.168.1.0/28# Deny everything else coming from jails
${fwcmd} add 170 deny ip from any to ${jailnet}
${fwcmd} add 180 deny ip from ${jailnet} to any${fwcmd} add 1000 pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to anycase ${natd_enable} in
[Yy][Ee][Ss])
if [ -n “${natd_interface}” ]; then
${fwcmd} add divert natd ip4 from any to any via ${natd_
interface}
fi
;;
esac# Allow any traffic to and from own host.
# ${fwcmd} add pass all from me to me# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag# Allow setup of incoming SSH
${fwcmd} add pass tcp from any to ${ip} 22 setup keep-state# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${smtp} 25# Allow setup of incoming DNS transfer
${fwcmd} add pass tcp from any to ${dns} 53# Allow setup of incoming HTTP
${fwcmd} add pass tcp from any to ${www} 80,443
${fwcmd} add pass tcp from ${net} to ${ip} 8080 setup keep-state# Allow setup of incoming MySQL
${fwcmd} add pass tcp from ${net} to ${ip} 3306 setup keep-state# Allow setup of outgoing SSH
${fwcmd} add pass tcp from ${ip} to any 22 setup keep-state# Allow setup of outgoing email
${fwcmd} add pass tcp from ${ip} to any 25 setup
${fwcmd} add pass tcp from any 25 to ${ip} to any 25 established
${fwcmd} add pass tcp from any 25 to ${smtp} established# Allow setup of outgoing HTTP
${fwcmd} add pass tcp from ${ip} to any 80 setup keep-state# Allow setup of outgoing CVSUP
${fwcmd} add pass tcp from ${ip} to any 5999 setup keep-state# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from ${ip} to any established# Allow DNS queries out in the world
${fwcmd} add pass udp from ${ip} to any 53
${fwcmd} add pass udp from any 53 to ${ip}
${fwcmd} add pass udp from any 53 to ${dns}# Allow DNS queries to our DNS server
${fwcmd} add pass udp from any to ${dns} 53
${fwcmd} add pass udp from ${ip} 53 to any# Allow NTP queries out in the world
${fwcmd} add pass udp from ${ip} to any 123 keep-state# ICMP
${fwcmd} add pass icmp from any to any# Everything else is denied by default
${fwcmd} 65534 add deny log all from any to any