From owner-freebsd-doc@FreeBSD.ORG Thu Sep 29 13:53:12 2005 Return-Path: X-Original-To: doc@freebsd.org Delivered-To: freebsd-doc@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28C1F16A41F for ; Thu, 29 Sep 2005 13:53:12 +0000 (GMT) (envelope-from chofu.tap@ce.wakwak.com) Received: from mgkyb2.nw.wakwak.com (mgkyb2.nw.wakwak.com [211.9.231.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2F3643D58 for ; Thu, 29 Sep 2005 13:53:10 +0000 (GMT) (envelope-from chofu.tap@ce.wakwak.com) Received: from vckyb3.nw.wakwak.com (postfix@vckyb3.nw.wakwak.com [211.9.231.144]) by mgkyb2.nw.wakwak.com (8.13.4/8.13.4/2005-04-22) with SMTP id j8TDr8GZ010034 for ; Thu, 29 Sep 2005 22:53:09 +0900 (JST) (envelope-from chofu.tap@ce.wakwak.com) Received: from ce.wakwak.com (ce.wakwak.com [211.9.230.140]) by vckyb3.nw.wakwak.com (Postfix) with ESMTP id AFB6A3FE02 for ; Thu, 29 Sep 2005 22:53:08 +0900 (JST) Received: from [192.168.100.27] (z119.220-213-40.ppp.wakwak.ne.jp [220.213.40.119]) by ce.wakwak.com (8.13.5/8.13.5/2005-09-29) with ESMTP/inet id j8TDr8R5057632 for ; Thu, 29 Sep 2005 22:53:08 +0900 (JST) (envelope-from chofu.tap@ce.wakwak.com) User-Agent: Microsoft-Entourage/9.0.5 Date: Thu, 29 Sep 2005 22:55:35 +0900 From: Horinouchi Hiroyuki To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: Subject: Personal Firewall with IPFW X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 13:53:12 -0000 Hi I would be interested in hearing opinion about the personal firewal confuguring with IPFW. I will make a personal firewall referring to the example has been shown by you. I am using mobile PC. Therefore, the connection destination and the interface are also different in every case. Is a stateful filtering possible even in such an environment? The address of the DNS server and the address of the DHCP server are different according to the situation. I will omit the via interface. In addition, a part of the rule that you showed is changed as follows. ipfw -q -f flush cmd="ipfw -q add" $cmd 00010 allow all from any to any via lo0 $cmd 00015 check-state $cmd 00110 allow tcp from any to any 53 out setup keep-state $cmd 00111 allow udp from any to any 53 out keep-state $cmd 00120 allow log udp from any to any 67 out keep-state $cmd 00200 allow tcp from any to any 80 out setup keep-state $cmd 00220 allow tcp from any to any 443 out setup keep-state $cmd 00230 allow tcp from any to any 25 out setup keep-state $cmd 00231 allow tcp from any to any 110 out setup keep-state $cmd 00250 allow icmp from any to any out keep-state $cmd 00260 allow tcp from any to any 37 out setup keep-state $cmd 00270 allow tcp from any to any 119 out setup keep-state $cmd 00280 allow tcp from any to any 22 out setup keep-state $cmd 00290 allow tcp from any to any 43 out setup keep-state $cmd 00299 deny log all from any to any out $cmd 00300 deny all from 192.168.0.0/16 to any in $cmd 00301 deny all from 172.16.0.0/12 to any in $cmd 00302 deny all from 10.0.0.0/8 to any in $cmd 00303 deny all from 127.0.0.0/8 to any in $cmd 00304 deny all from 0.0.0.0/8 to any in $cmd 00305 deny all from 169.254.0.0/16 to any in $cmd 00306 deny all from 192.0.2.0/24 to any in $cmd 00307 deny all from 204.152.64.0/23 to any in $cmd 00308 deny all from 224.0.0.0/3 to any in $cmd 00310 deny icmp from any to any in $cmd 00315 deny tcp from any to any 113 in $cmd 00320 deny tcp from any to any 137 in $cmd 00321 deny tcp from any to any 138 in $cmd 00322 deny tcp from any to any 139 in $cmd 00323 deny tcp from any to any 81 in $cmd 00330 deny all from any to any frag in $cmd 00332 deny tcp from any to any established in $cmd 00360 allow udp from any to any 67 in keep-state $cmd 00499 deny log all from any to any in $cmd 00999 deny log all from any to any It would be greatly appreciated if something good advice could be gotten.