Date: Tue, 30 Jan 2001 11:59:10 +0200 From: Sheldon Hearn <sheldonh@uunet.co.za> To: Pete Fritchman <petef@databits.net> Cc: John Telford <j.telford@sympatico.ca>, freebsd-security@freebsd.org Subject: Re: IPFW modify the "simple" rule set 4.2 to allow ... Message-ID: <6446.980848750@axl.fw.uunet.co.za> In-Reply-To: Your message of "Wed, 24 Jan 2001 10:46:31 EST." <20010124104631.B4887@databits.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 24 Jan 2001 10:46:31 EST, Pete Fritchman wrote: > You'll need to modify /etc/rc.firewall. Look through until you see something > like: This isn't ideal. Rather, allow the system to boot with firewall_type="simple" in /etc/rc.conf. Then use ipfw(8) to show the ruleset in place. Then copy these rules into /etc/firewall.local or whatever. Then set firewall_type="/etc/firewall.local" or whatever. Here's what my /etc/firewall.axl looks like: ------------------------- -f flush add allow ip from any to any via lo0 add deny log ip from any to 127.0.0.0/8 # These two rules save over-use of dynamic rules instantiated by the # 'keep-state' rule at the bottom. # add allow tcp from 172.16.3.5 to 172.16.0.1 domain add allow tcp from 172.16.0.1 domain to 172.16.3.5 add allow tcp from 172.16.0.1 to 172.16.3.5 smtp add allow tcp from 172.16.3.5 smtp to 172.16.0.1 add allow tcp from any to 172.16.3.5 ssh add allow tcp from 172.16.3.5 ssh to any # The next six rules open up enough to allow Samba (NTLM sharing) access # from remote hosts. # add allow udp from 172.16.0.0/15 to 172.16.3.5 137 add allow udp from 172.16.3.5 137 to 172.16.0.0/15 add allow udp from 172.16.0.0/15 to 172.16.3.5 138 add allow udp from 172.16.3.5 138 to 172.16.0.0/15 add allow tcp from 172.16.0.0/15 to 172.16.3.5 139 add allow tcp from 172.16.3.5 139 to 172.16.0.0/15 # This is the rule that allows any kind of OUTBOUND connection to be # established and then used, given the net.inet.ip.fw lifetime values. # add allow all from 172.16.3.5 to any keep-state ------------------------- The '-f flush' allows me to make changes to the file and then reload it using the command "ipfw /etc/firewall.axl" whenever I feel like it, but I think that flushes dynamic rules as well, so use with caution. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6446.980848750>