Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 4 Feb 2001 15:57:22 -0000
From:      "G D McKee" <freebsd@gdmckee.com>
To:        "freebsd-questions" <freebsd-questions@FreeBSD.ORG>
Subject:   IPFW and NATD
Message-ID:  <000f01c08ec3$291ff120$0500a8c0@gdmckee.local>

next in thread | raw e-mail | index | archive | help
Hi

I want to build a firewall that enables everything to go out, but only
accept connections in for port 22 and 25, and any port that gets initiated
from inside the local LAN.

I trust this is not at all hard.

I was looking down the rc.firewall file and the second section in here seems
to pretty much what I want.  How can I enable this.  I need to add a line
into the /etc/rc/conf, but what is it?

I got most of this from dial up firewall.  Will it do as I require?

# Firewall rules
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference.  Helps to make it easier to read.
fwcmd="/sbin/ipfw"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Divert all packets through the tunnel interface.
$fwcmd add divert natd all from any to any via ep0

# Allow all data from my network card and localhost.  Make sure you
# change your network card (mine was fxp0) before you reboot.  :)
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via ep1

# Allow all connections that I initiate.
$fwcmd add allow tcp from any to any out xmit ep0 setup

# Once connections are made, allow them to stay open.
$fwcmd add allow tcp from any to any via ep0 established

# Everyone on the internet is allowed to connect to the following
# services on the machine.  This example shows that people may connect
# to ssh and apache.
$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow tcp from any to any 22 setup
$fwcmd add allow tcp from any to any 25 setup

# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to any 113 in recv ep0

# Allow outgoing DNS queries ONLY to the specified servers.
$fwcmd add allow udp from any to 194.72.6.57 53 out xmit ep0
$fwcmd add allow udp from any to 194.73.73.95 53 out xmit ep0
$fwcmd add allow udp from any to 152.32.107.18 out xmit ep0

# Allow them back in with the answers...  :)
$fwcmd add allow udp from 194.72.6.57 53 to any in recv ep0
$fwcmd add allow udp from 194.73.73.95 53 to any in recv ep0
$fwcmd add allow udp from 154.32.107.18 53 to any in recv ep0

# Allow ICMP (for ping and traceroute to work).  You may wish to
# disallow this, but I feel it suits my needs to keep them in.
$fwcmd add 65435 allow icmp from any to any

# Deny all the rest.
#$fwcmd add 65435 deny log ip from any to any


Gordon




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000f01c08ec3$291ff120$0500a8c0>