Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Feb 2001 13:28:50 -0600 (CST)
From:      Nick Rogness <nick@rogness.net>
To:        "Christian G.Charette" <chcharette@millic.com.ar>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ipfw
Message-ID:  <Pine.BSF.4.21.0102081312160.3913-100000@cody.jharris.com>
In-Reply-To: <01020814513000.00915@spod.mic_ar>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 8 Feb 2001, Christian G.Charette wrote:

> Hi, Im a newbie in Unix and Im running a FreeBSD box with Apache, and 
> I want to build some Firewall but all the instructives I found are 
> about firewalling for gateways. All I need is an example of a rule 
> set or something like that.

There are several ways to do it.  Here is one way I find most convient.

Make a file in /etc called "firewall.rules" or something along that
lines.  Then 

In /etc/firewall.rules:

add 500 deny icmp from any to any in via ed0 icmptypes 8
add 600 allow tcp from X.X.X.X to any 23 in via ed0
add 601 allow tcp from Y.Y.Y.Y to any 23 in via ed0
add 800 allow ip from any to any out via ed0
add 1000 deny ip from any to any

Then in /etc/rc.conf:

firewall_enable="YES"
firewall_type="/etc/firewall.rules"

This is not a complete setup and needs some work.  But it gives you a
start.  Another way to do it is to edit /etc/rc.firewall, which most
people do, but I find the above technique easier to manage.  I used ed0 as
your outside interface to the world and X.X.X.X/Y.Y.Y.Y as IP's that you
want to connect to your machine via telnet.

> What I want to do is block ICMP and only allow a couple of IPs make 
> telnet to the box.

Be careful of what you wish.  Certain things use ICMP (like MTU path
disc.) and blocking that could cause problems.  If you look at rule number
500 above you can see how to deny ICMP_ECHO_REQUEST (ping).  

There is also some good references on how to build firewalls on the web.  
I think one was mentioned earlier at mostgraveconcern.com.

Nick Rogness <nick@rogness.net>
- Keep on routing in a Free World...  
  "FreeBSD: The Power to Serve!"






To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0102081312160.3913-100000>