From owner-freebsd-questions Thu Oct 3 23:59: 6 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B183837B401 for ; Thu, 3 Oct 2002 23:59:04 -0700 (PDT) Received: from brabys.co.za (postoffice.brabys.co.za [192.96.48.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEAD243E4A for ; Thu, 3 Oct 2002 23:59:00 -0700 (PDT) (envelope-from nelis@brabys.co.za) Received: from nelis.brabys.co.za (proxy-inner.brabys.co.za [192.96.48.11]) by brabys.co.za (8.12.0/8.12.0) with ESMTP id g946whCq017518 for ; Fri, 4 Oct 2002 08:58:43 +0200 Message-Id: <5.1.0.14.2.20021004085609.012ed3c8@192.96.48.11> X-Sender: nelis@192.96.48.11 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 04 Oct 2002 08:58:50 +0200 To: freebsd-questions@freebsd.org From: Nelis Lamprecht Subject: ipfw ruleset Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-MailScanner: Found to be clean Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi People, I'm trying to setup my firewall using ipfw on 4.6 Stable. I have read through the man pages and also several howto's but now I need your advice. I would like to setup a DNS server that will respond to queries and my current ruleset does not seem to permit this. Please tell me what I am doing wrong. My Ruleset: ( ip's omitted ) add 00301 check-state add 00302 allow tcp from any to any established add 00303 allow tcp from any to any out setup keep-state add 00304 allow tcp from any to $lan 22,25,80,443 setup add 00400 allow udp from any to any out add 00401 allow udp from $lan to any 53 add 00402 allow udp from any 53 to $lan in recv rl0 #allow some icmp types (codes not supported) ##allow path-mtu in both directions add 00600 allow icmp from any to any icmptypes 3 ##allow source quench in and out add 00601 allow icmp from any to any icmptypes 4 ##allow me to ping out and receive response back add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in ##allow me to run traceroute add 00604 allow icmp from any to any icmptypes 11 in #allow ident requests add 00700 allow tcp from any to any 113 keep-state setup #deny syn and fin bits used for OS finger printing using nmap add 00701 deny log tcp from any to any in tcpflags syn,fin #log anything that falls through add 09000 deny log ip from any to any Kind Regards, Nelis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message