Date: Thu, 12 Apr 2001 09:31:25 +0200 From: Martin Hasenbein <mh-freebsd-ipfw@space.Net> To: freebsd-ipfw@freebsd.org Subject: what about this ruleset? Message-ID: <20010412093125.A60060@Space.Net>
next in thread | raw e-mail | index | archive | help
Hi everybody,
what do you think about this ruleset?
This is the ruleset of my server.
I need the following services available:
SSH incoming and outgoing
SMTP incoming and outgoing
FTP outgoing
Ping incoming and outgoing
POP3 incoming
Samba
NFS
I have official IP-Adresses and don't make NAT.
work = my server
home = my workstation
router = my router
tupac = my girlfriends windows-box
### Setup ######
fwcmd="/sbin/ipfw"
${fwcmd} -f flush
# 00100 & 00200 loopback
# 00300 tcp
# 00400 udp
# 00500 kiddie logging (netbus etc)
# 00600 icmp logging
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 205 deny log all from any to 10.0.0.0/8 via fxp0
${fwcmd} add 206 deny log all from any to 172.16.0.0/12 via fxp0
${fwcmd} add 207 deny log all from any to 192.168.0.0/16 via fxp0
${fwcmd} add 208 deny log all from 10.0.0.0/8 to any via fxp0
${fwcmd} add 209 deny log all from 172.16.0.0/12 to any via fxp0
${fwcmd} add 210 deny log all from 192.168.0.0/16 to any via fxp0
${fwcmd} add 211 deny log all from any to 0.0.0.0/8 via fxp0
${fwcmd} add 212 deny log all from any to 169.254.0.0/16 via fxp0
${fwcmd} add 213 deny log all from any to 192.0.2.0/24 via fxp0
${fwcmd} add 214 deny log all from any to 224.0.0.0/4 via fxp0
${fwcmd} add 215 deny log all from any to 240.0.0.0/4 via fxp0
${fwcmd} add 216 deny log all from 0.0.0.0/8 to any via fxp0
${fwcmd} add 217 deny log all from 169.254.0.0/16 to any via fxp0
${fwcmd} add 218 deny log all from 192.0.2.0/24 to any via fxp0
${fwcmd} add 219 deny log all from 224.0.0.0/4 to any via fxp0
${fwcmd} add 220 deny log all from 240.0.0.0/4 to any via fxp0
${fwcmd} add 300 pass tcp from work to any out xmit fxp0 setup
${fwcmd} add 301 pass tcp from any to any established
${fwcmd} add 302 pass tcp from any to work 22 in recv fxp0 setup
${fwcmd} add 303 pass tcp from any to work 25 in recv fxp0 setup
${fwcmd} add 304 pass tcp from any to work 110 in recv fxp0 setup
${fwcmd} add 305 pass tcp from any 20 to work 1024-65535 in recv fxp0 setup
${fwcmd} add 306 reset tcp from any to work 113 in recv fxp0 setup
${fwcmd} add 307 reset log tcp from any to any in recv fxp0 setup
${fwcmd} add 400 pass log udp from home to work in recv fxp0
${fwcmd} add 402 pass udp from any 53 to work in recv fxp0
${fwcmd} add 403 pass udp from work to any 53 out xmit fxp0
${fwcmd} add 404 pass log udp from tupac to work 137-139 via fxp0
${fwcmd} add 405 pass log udp from work to any 33434-33534
${fwcmd} add 406 unreach port log udp from any to any in recv fxp0
${fwcmd} add 600 pass icmp from work to any icmptypes 0,3,4,8,11,12 out xmit fxp0
${fwcmd} add 601 pass icmp from any to work icmptypes 0,3,4,8,11,12 in recv fxp0
${fwcmd} add 602 deny icmp from any to any in recv fxp0
${fwcmd} add 700 deny all from any to 255.255.255.255
${fwcmd} add 701 deny log all from any to any
Any suggestions, comments, tips, tricks ........
\thx\martin
--
--------------------------------------------------------------------
Martin Hasenbein Phone (Fax): (+49) 89 1216376-1 (3)
\|/ Weiglstr.9 mailto:martin@hasenbein.com
@ @ D-80636 München http://martin.hasenbein.com
-oOO-(_)-OOo--------------------------------------------------------
On the 8th day, god created Unix ;-)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010412093125.A60060>