Date: Wed, 15 Apr 1998 02:16:56 -0400 (EDT) From: spork <spork@super-g.com> To: Spike Gronim <spork@cncn.com> Cc: Dima Dorfman <webmaster@zwb.net>, fbsdqs <freebsd-questions@FreeBSD.ORG> Subject: Re: IPFW Message-ID: <Pine.BSF.3.96.980415020032.22722A-100000@super-g.inch.com> In-Reply-To: <Pine.BSF.3.96.980414162215.367C-100000@pigstuy>
next in thread | previous in thread | raw e-mail | index | archive | help
You're getting there...
Line numbers are important, as others mentioned, and the manpage and
handbook have great examples and hints...
Also, blocking packets from 127.0.0.1 to panix.com (they love their nfs,
don't they) will not get you anywhere. Packets are sourced from your
machines IP, not the localhost address. Putting names is a general no-no
in most configs, as you can't always rely on DNS, and it's easy for
someone wanting to circumvent your firewall to fake. And depending on
where you're blocking all that nasty udp, you might not even be able to do
lookups til later in the script.
That said, here's an example:
#!/bin/sh
ipfw add 1000 pass all from any to any via lo0
# the above is a default rule from rc.firewall, it just lets the
# machine talk to itself
ipfw add 2000 deny tcp from 198.7.0.2 to any
ipfw add 60000 allow ip from any to any
That should block access from panix. Or to panix, as it won't
be able to answer...
That's a really basic config, you'll find the list gets bigger as you play
with it more. I generally group things further apart to make for easier
reading, putting all tcp in one prefix, all udp in another, etc. You
should also put the most often matched rules first, such as the
"established" rule. Lots of fun to mess with, just make sure you're at
the console. As you fine tune, you can start putting a "log" entry where
you plan to eventually put a "deny" so you can spot all the mystery
traffic and decide if you want it or not. I found a ton of random dialup
accounts doing big snmp sweep probes across the network...
Good luck, and remember to check out the man page. It's a little more up
to date than the handbook, and it is exceptionally well written.
Charles Sprickman
spork@super-g.com
----
"I'm not a prophet or a stone-age man
Just a mortal with potential of a superman
I'm living on" -DB
On Tue, 14 Apr 1998, Spike Gronim wrote:
> On Tue, 14 Apr 1998, Dima Dorfman wrote:
>
> > You need to specify a rule number, like:
> >
> > ipfw add 1000 deny tcp from localhost to panix.com
> >
> > At 04:09 PM 4/14/98 -0400, you wrote:
> > >Hello.
> > >
> > > Just for practice I am configuring a fire wall on my computer. I
> > >don't need one, but I want to get the experience under my belt. I have a
> > >shell script I wish to execute to set up the rules to my firewall.
> > >it reads:
>
> [snip]
>
> > > I have shell access on panix.com and can therefore attempt to test my
> > >firewall from their machinces. ipfw ignores the first two commands, so my
> > >firewall ends up looking like this:
> > >
> > >00000 allow ip from any to any
> > >65534 deny ip from any to any
>
> My ipfwcommands script now reads:
>
> #!/bin/sh
>
> ipfw add 10000 deny tcp from localhost to panix.com
> ipfw add 10010 deny tcp from panix.com to localhost
> ipfw add allow ip from any to any
>
> and it still does not add the first two rules.
>
>
>
> -Spike Gronim
> spork@cncn.com
>
>
> "Hacker, n: One who hacks real good"
> --Computer Contradictionary
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980415020032.22722A-100000>