Date: Wed, 18 Feb 2004 22:58:26 -0800 From: "Derrick Ryalls" <ryallsd@datasphereweb.com> To: <freebsd-questions@freebsd.org> Subject: Ipfw ruleset check Message-ID: <013601c3f6b5$c5e1aa00$0201a8c0@aragorn>
next in thread | raw e-mail | index | archive | help
I have a 4.9 router that I decided I want to have a meaningful firewall with, so I have modified a copy of rc.firewall and would like someone to point out if I am doing something monumentally stupid. I want to allow all from within my network, but only let in a few from the internet: DNS Email/imap-ssl(pop3-ssl in future) Ssh WWW And whatever natd redirects I have (remote desktop mainly). I definitely want to protect mysqld and only allow it from localhost or inside network. Here is what I have come up with so far (kernel built with default to deny): setup_loopback # set these to your network and netmask and ip net="192.168.1.0" mask="255.255.255.0" ip="192.168.1.1" # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} # Allow all out the world ${fwcmd} add pass all from ${ip} to any keep-state # Allow DNS queries out or in the world ${fwcmd} add pass all from any to any 53 keep-state # Allow email out or in the world ${fwcmd} add pass all from any to any 25 keep-state # Allow imap-ssl out or in the world ${fwcmd} add pass all from any to any 993 keep-state # Allow ssh out or in the world ${fwcmd} add pass all from any to any 22 keep-state # Allow www out or in the world ${fwcmd} add pass all from any to any 80 keep-state # Allow MSTSC in the world ${fwcmd} add pass all from any to any 5001 keep-state Any glaring mistakes on my part? TIA -Derrick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?013601c3f6b5$c5e1aa00$0201a8c0>