From owner-freebsd-questions Sun Feb 20 22: 0:46 2000 Delivered-To: freebsd-questions@freebsd.org Received: from vpm.com (spunky.vpm.com [209.60.152.2]) by hub.freebsd.org (Postfix) with ESMTP id C36D437C1B5 for ; Sun, 20 Feb 2000 22:00:41 -0800 (PST) (envelope-from mcs@vpm.com) Received: from movies (port-st186.cwo.com [209.63.55.196]) by vpm.com (8.9.3/8.9.3) with ESMTP id WAA17209 for ; Sun, 20 Feb 2000 22:01:12 -0800 (PST) Message-Id: <4.2.0.58.20000220213559.021b4380@mail.vpm.com> X-Sender: mcs@mail.vpm.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 20 Feb 2000 22:00:06 +0000 To: freebsd-questions@FreeBSD.ORG From: Mark Stout Subject: Reading rules in IPFW Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi: I have someone hacking into my system. It's a web hosting server so I can't take it off-line. I've blocked all known ip /24 addresses that I know of that the hacker has tried to come in on but that's fruitless and not what I want. I want to deny everything then open certain ports like 80 and 21 and 23 for specific networks. I wrote some rules for IPFW that work as intended as long as I keep the default "allow ip from any to any" as the last rule. If I make it "deny ip from any to any" as the last rule my previous rules that once worked now doesn't. Nobody can get in. This seems right. Here's a sampling of the rules I have that work. 100 add permit log tcp from 209.13.15.0/24 to 209.60.152.2 23 100 add permit log tcp from 206.13.14.0/24 to 209.60.152.2 23 100 add permit log tcp from any to 209.60.152.2 80 100 add permit log tcp from any to 209.60.152.2 21 100 add deny log tcp from any to 209.60.152.2 23 ... 65535 allow ip from any to any I allow access to Telnet from any host on network 209.13.14.0 I allow access to Telnet from any host on network 209.13.15.0 I allow HTTP from anyone I allow FTP from anyone I then deny Telnet from everyone else The default rule #65535 allows everything else in. Now, where I keep these same rules but change 65535 to deny ip from any to any, then nothing is allowed in, not HTTP or FTP. Does IPFW stop at the first match or does it continue through the rest of the rules? I'd like to deny everything, then open what I want. How would I write those rules? Thanks Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message