From owner-freebsd-questions Sun Mar 25 15:36:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 38DBF37B71B for ; Sun, 25 Mar 2001 15:36:11 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 25 Mar 2001 15:34:07 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.3/8.11.1) id f2PNaAU10232; Sun, 25 Mar 2001 15:36:10 -0800 (PST) (envelope-from cjc) Date: Sun, 25 Mar 2001 15:36:10 -0800 From: "Crist J. Clark" To: Carl Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Dynamic ipfw ruleset to block all unrequested packets... Message-ID: <20010325153610.D5425@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <01032512585203.00338@Demon> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01032512585203.00338@Demon>; from no1-carl@home.com on Sun, Mar 25, 2001 at 12:58:52PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Mar 25, 2001 at 12:58:52PM -0500, Carl wrote: > Hello, I have been reading through the firewall literature and have set up a > very simple firewall. It is just for my home connection to my cable modem > service. I do have a router attached to the cable modem that has my FreeBSD > machine as a DMZ. The router's IP is 192.168.1.1 and it assigns my FreeBSD > box 192.168.1.100. The following is my rc.firewall file snippet: > > ############ > # Local IP address of my computer > ip="192.168.1.100" > > ############ > # Dynamic rule set that only allows packets > # that have been requested by this IP > ${fwcmd} add check-state > ${fwcmd} add deny log all from not ${ip} to any > ${fwcmd} add pass all from ${ip} to any keep-state > > When I use nmap to scan myself (ie: nmap -sS -p 111 ) it lists > the sunrpc port as filtered (better than open), but I was wondering if is > possible to make this port disappear? "Filtered" is the result you want. It means that nmap got no response at all. Not sure what you mean by getting it to "disappear." > The other strange thing, when I ping myself (ie: ping ) the ICMP > packets get through. Is this because I am not pinging my machine from an > outside source? If so why doesn't nmap behave the same way? OK, this is strange. Where are you doing the nmap and pinging from? If you are doing all of this from the machine with the firewall, these results are not meaningful. Do it from another machine. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message