From owner-freebsd-questions@FreeBSD.ORG Wed Feb 18 22:58:25 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 037CF16A4CE for ; Wed, 18 Feb 2004 22:58:25 -0800 (PST) Received: from clanbuckbuck.org (c-24-17-98-189.client.comcast.net [24.17.98.189]) by mx1.FreeBSD.org (Postfix) with SMTP id A785243D1D for ; Wed, 18 Feb 2004 22:58:24 -0800 (PST) (envelope-from ryallsd@datasphereweb.com) Received: (qmail 3077 invoked from network); 19 Feb 2004 06:58:24 -0000 Received: from unknown (HELO aragorn) (192.168.1.2) by 192.168.1.1 with SMTP; 19 Feb 2004 06:58:24 -0000 From: "Derrick Ryalls" To: Date: Wed, 18 Feb 2004 22:58:26 -0800 Message-ID: <013601c3f6b5$c5e1aa00$0201a8c0@aragorn> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: Ipfw ruleset check X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 06:58:25 -0000 I have a 4.9 router that I decided I want to have a meaningful firewall with, so I have modified a copy of rc.firewall and would like someone to point out if I am doing something monumentally stupid. I want to allow all from within my network, but only let in a few from the internet: DNS Email/imap-ssl(pop3-ssl in future) Ssh WWW And whatever natd redirects I have (remote desktop mainly). I definitely want to protect mysqld and only allow it from localhost or inside network. Here is what I have come up with so far (kernel built with default to deny): setup_loopback # set these to your network and netmask and ip net="192.168.1.0" mask="255.255.255.0" ip="192.168.1.1" # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} # Allow all out the world ${fwcmd} add pass all from ${ip} to any keep-state # Allow DNS queries out or in the world ${fwcmd} add pass all from any to any 53 keep-state # Allow email out or in the world ${fwcmd} add pass all from any to any 25 keep-state # Allow imap-ssl out or in the world ${fwcmd} add pass all from any to any 993 keep-state # Allow ssh out or in the world ${fwcmd} add pass all from any to any 22 keep-state # Allow www out or in the world ${fwcmd} add pass all from any to any 80 keep-state # Allow MSTSC in the world ${fwcmd} add pass all from any to any 5001 keep-state Any glaring mistakes on my part? TIA -Derrick