From owner-freebsd-questions  Thu Jun  7 12:57:26 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131])
	by hub.freebsd.org (Postfix) with ESMTP id 0384637B407
	for <freebsd-questions@FreeBSD.ORG>; Thu,  7 Jun 2001 12:57:17 -0700 (PDT)
	(envelope-from ryan@sasknow.com)
Received: from localhost (ryan@localhost)
	by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id NAA98526;
	Thu, 7 Jun 2001 13:57:14 -0600 (CST)
	(envelope-from ryan@sasknow.com)
Date: Thu, 7 Jun 2001 13:57:14 -0600 (CST)
From: Ryan Thompson <ryan@sasknow.com>
To: Josh Thomas <jdt2101@ksu.edu>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: IPFW rules and outward connections
In-Reply-To: <Pine.GSO.4.21L.0106071358560.1095-100000@unix1.cc.ksu.edu>
Message-ID: <Pine.BSF.4.21.0106071349220.67902-100000@ren.sasknow.com>
Organization: SaskNow Technologies [www.sasknow.com]
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Josh Thomas wrote to freebsd-questions@FreeBSD.ORG:

> I am looking to set up a firewall to be closed to all incoming
> connections except for 20-22 (for ftp and ssh), and to allow all
> outward connections.  However, I'm having trouble specifically keeping
> the dynamically assigned ports above 1024 for normal usage open.  ie,
> http from other machines, ftp from other machines.  

You shouldn't need any keep-state or dynamic rules at all, for what you've
described here.

To enable arbitrary outgoing connections from the firewall machine:


network=192.168.0.0/24	# This could also just be an IP address

# Allow all outgoing connections
ipfw 1000 allow ip from ${network} to any


# OR, only allow connections to remote ports 1024-9999
ipfw 1000 allow ip from ${network} to any 1024-9999


# OR, allow all outgoing connections, with some exceptions
ipfw 900 deny ip from ${network} to any 119  # Deny usenet
ipfw 901 deny ip from ${network} to any ???  # Additional services
ipfw 902 deny ip from ${network} to any ???  # Additional services
ipfw 1000 allow ip from ${network} to any


# And, then, you need to allow all established
# incoming tcp connections through to your network.
ipfw 1010 allow tcp from any to ${network} established


> Is there specifically a way to allow outgoing connections and then
> keep that port open for incoming connections for a short time?  This
> seems to be somewhat the functionality of keep-state, however that
> does not appear to work.  If anybody has any examples, I would
> appreciate them.  Neither the freebsd handbook nor the ipfw manpage
> goes into enough detail as I needed.  Please cc responses, as I am not
> on the freebsd-questions list.
> 
> Thanks,
> 
> Josh Thomas
> Student Systems Analyst
> w
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 

-- 
  Ryan Thompson <ryan@sasknow.com>
  Network Administrator, Accounts

  SaskNow Technologies - http://www.sasknow.com
  #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2

        Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message