Date: Sun, 20 Feb 2000 22:00:06 +0000 From: Mark Stout <mcs@vpm.com> To: freebsd-questions@FreeBSD.ORG Subject: Reading rules in IPFW Message-ID: <4.2.0.58.20000220213559.021b4380@mail.vpm.com>
next in thread | raw e-mail | index | archive | help
Hi: I have someone hacking into my system. It's a web hosting server so I can't take it off-line. I've blocked all known ip /24 addresses that I know of that the hacker has tried to come in on but that's fruitless and not what I want. I want to deny everything then open certain ports like 80 and 21 and 23 for specific networks. I wrote some rules for IPFW that work as intended as long as I keep the default "allow ip from any to any" as the last rule. If I make it "deny ip from any to any" as the last rule my previous rules that once worked now doesn't. Nobody can get in. This seems right. Here's a sampling of the rules I have that work. 100 add permit log tcp from 209.13.15.0/24 to 209.60.152.2 23 100 add permit log tcp from 206.13.14.0/24 to 209.60.152.2 23 100 add permit log tcp from any to 209.60.152.2 80 100 add permit log tcp from any to 209.60.152.2 21 100 add deny log tcp from any to 209.60.152.2 23 ... 65535 allow ip from any to any I allow access to Telnet from any host on network 209.13.14.0 I allow access to Telnet from any host on network 209.13.15.0 I allow HTTP from anyone I allow FTP from anyone I then deny Telnet from everyone else The default rule #65535 allows everything else in. Now, where I keep these same rules but change 65535 to deny ip from any to any, then nothing is allowed in, not HTTP or FTP. Does IPFW stop at the first match or does it continue through the rest of the rules? I'd like to deny everything, then open what I want. How would I write those rules? Thanks Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.20000220213559.021b4380>