From owner-freebsd-stable Wed Aug 1 20:23:48 2001 Delivered-To: freebsd-stable@freebsd.org Received: from terminus.rootprompt.net (ci933622-a.ruthfd1.tn.home.com [24.252.218.138]) by hub.freebsd.org (Postfix) with ESMTP id 8DF2E37B401 for ; Wed, 1 Aug 2001 20:23:42 -0700 (PDT) (envelope-from robert@rootprompt.net) Received: from recon (recon.rootprompt.net [192.168.1.2]) by terminus.rootprompt.net (Postfix) with SMTP id 6BA58F805; Wed, 1 Aug 2001 22:23:40 -0500 (CDT) From: "Robert Banniza" To: "Ted Sikora" , Subject: RE: firewall ruleset questions Date: Wed, 1 Aug 2001 22:25:47 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <3B68C06A.131C4C67@home.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Check out http://www.rootprompt.net/freebsd_firewall.html Robert -----Original Message----- From: owner-freebsd-stable@FreeBSD.ORG [mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of Ted Sikora Sent: Wednesday, August 01, 2001 9:52 PM To: freebsd-stable@FreeBSD.ORG Subject: firewall ruleset questions I have stable on both cable and dsl. Each machine has 2 nic cards. I just setup up a firewall with the following rules. I just need http ftp ssh nfs(internal network) # Define the firewall command fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the xl0 interface. $fwcmd add divert natd all from any to any via xl0 # Allow all data from my network cards and localhost. $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via xl0 $fwcmd add allow ip from any to any via ed0 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit xl0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via xl0 established # Everyone on the internet is allowed to connect to the following # services on the machine. $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow tcp from any to any 20 setup $fwcmd add allow tcp from any to any 21 setup $fwcmd add allow tcp from any to any 22 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv xl0 # Allow outgoing DNS queries ONLY to the specified servers. # $fwcmd add allow udp from any to x.x.x.x 53 out xmit xl0 # Allow them back in with the answers... :) # $fwcmd add allow udp from x.x.x.x 53 to any in recv xl0 # Allow ICMP (for ping and traceroute to work). $fwcmd add 65435 allow icmp from any to any # Deny all the rest. $fwcmd add 65435 deny log ip from any to any Will this suffice or does it need tightening. Also do I need : # If you're using 'options BRIDGE' #${fwcmd} add 400 pass udp from 0.0.0.0 2054 to 0.0.0.0 with cable and dsl modems? Can I limit nat to one ip like 192.168.1.5? Will nat cause a problem with other machines on the internal network with their own net connection? -- Ted Sikora tsikora@ntplx.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message