From owner-freebsd-stable Wed Aug 1 19:57:28 2001 Delivered-To: freebsd-stable@freebsd.org Received: from femail9.sdc1.sfba.home.com (femail9.sdc1.sfba.home.com [24.0.95.89]) by hub.freebsd.org (Postfix) with ESMTP id BB28A37B40F for ; Wed, 1 Aug 2001 19:57:22 -0700 (PDT) (envelope-from tsikora@home.com) Received: from home.com ([24.2.168.159]) by femail9.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010802025721.WJRK7798.femail9.sdc1.sfba.home.com@home.com> for ; Wed, 1 Aug 2001 19:57:21 -0700 Message-ID: <3B68C06A.131C4C67@home.com> Date: Wed, 01 Aug 2001 22:52:26 -0400 From: Ted Sikora X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.5 i686) X-Accept-Language: en-US, en MIME-Version: 1.0 To: "freebsd-stable@FreeBSD.ORG" Subject: firewall ruleset questions Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have stable on both cable and dsl. Each machine has 2 nic cards. I just setup up a firewall with the following rules. I just need http ftp ssh nfs(internal network) # Define the firewall command fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the xl0 interface. $fwcmd add divert natd all from any to any via xl0 # Allow all data from my network cards and localhost. $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via xl0 $fwcmd add allow ip from any to any via ed0 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit xl0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via xl0 established # Everyone on the internet is allowed to connect to the following # services on the machine. $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow tcp from any to any 20 setup $fwcmd add allow tcp from any to any 21 setup $fwcmd add allow tcp from any to any 22 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv xl0 # Allow outgoing DNS queries ONLY to the specified servers. # $fwcmd add allow udp from any to x.x.x.x 53 out xmit xl0 # Allow them back in with the answers... :) # $fwcmd add allow udp from x.x.x.x 53 to any in recv xl0 # Allow ICMP (for ping and traceroute to work). $fwcmd add 65435 allow icmp from any to any # Deny all the rest. $fwcmd add 65435 deny log ip from any to any Will this suffice or does it need tightening. Also do I need : # If you're using 'options BRIDGE' #${fwcmd} add 400 pass udp from 0.0.0.0 2054 to 0.0.0.0 with cable and dsl modems? Can I limit nat to one ip like 192.168.1.5? Will nat cause a problem with other machines on the internal network with their own net connection? -- Ted Sikora tsikora@ntplx.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message