Date: Wed, 18 Feb 2004 22:58:26 -0800 From: "Derrick Ryalls" <ryallsd@datasphereweb.com> To: <freebsd-questions@freebsd.org> Subject: Ipfw ruleset check Message-ID: <013601c3f6b5$c5e1aa00$0201a8c0@aragorn>
next in thread | raw e-mail | index | archive | help
I have a 4.9 router that I decided I want to have a meaningful firewall
with, so I have modified a copy of rc.firewall and would like someone to
point out if I am doing something monumentally stupid.
I want to allow all from within my network, but only let in a few from
the internet:
DNS
Email/imap-ssl(pop3-ssl in future)
Ssh
WWW
And whatever natd redirects I have (remote desktop mainly). I
definitely want to protect mysqld and only allow it from localhost or
inside network.
Here is what I have come up with so far (kernel built with default to
deny):
setup_loopback
# set these to your network and netmask and ip
net="192.168.1.0"
mask="255.255.255.0"
ip="192.168.1.1"
# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${ip} to ${net}:${mask}
${fwcmd} add pass all from ${net}:${mask} to ${ip}
# Allow all out the world
${fwcmd} add pass all from ${ip} to any keep-state
# Allow DNS queries out or in the world
${fwcmd} add pass all from any to any 53 keep-state
# Allow email out or in the world
${fwcmd} add pass all from any to any 25 keep-state
# Allow imap-ssl out or in the world
${fwcmd} add pass all from any to any 993 keep-state
# Allow ssh out or in the world
${fwcmd} add pass all from any to any 22 keep-state
# Allow www out or in the world
${fwcmd} add pass all from any to any 80 keep-state
# Allow MSTSC in the world
${fwcmd} add pass all from any to any 5001 keep-state
Any glaring mistakes on my part?
TIA
-Derrick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?013601c3f6b5$c5e1aa00$0201a8c0>