Date: Sat, 20 May 2000 21:52:38 -0400 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: Michael Feld <mfeld@iname.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW Ruleset help Message-ID: <20000520215237.E93357@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <p04310102b54cb9353341@[192.168.151.4]>; from mfeld@iname.com on Sat, May 20, 2000 at 06:00:30PM -0400 References: <p04310102b54cb9353341@[192.168.151.4]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, May 20, 2000 at 06:00:30PM -0400, Michael Feld wrote: > HI there all... > > I'm new to this list. I have a static IP and a private network > behind a dual-homed free-bsd box, and I need a set of basic IPFW > rules. The following rules don't work, and basically block off all > access from inside out. Does anyone have a basic set they could post > or could someone tell me how to fix these? I'm naked to the world > here, so any help would be appreciated. This ruleset is clearly not > complete, but I was hoping I might get a little aid in setting things > up. Thanks!!! > A few comments... > 00100 divert 8668 ip from any to any via ep0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00500 allow tcp from any to <my ip address> 22 setup > 00600 allow udp from <my ip address> to any 53 If you trust your own network, why bother restricting anything out? I would only suggest that you filter your own to prevent spoofing, 00600 allow ip from <outer ip> to any And for the internal interface, 00650 allow ip from 192.168.151.0/24 to any via <iif> 00660 allow ip from <inner ip> to 192.168.151.0/24 > 00700 allow udp from any 53 to <my ip address> These two covered by other rules. Remove. > 00800 allow udp from 192.168.151.0/24 to any 53 > 00900 allow udp from any 53 to 192.168.151.0/24 I'd put this at the top. It will be hit the most. > 02000 allow tcp from any to any established Why add, > 65100 deny log tcp from any to any in recv <my ip address> setup ^^^^^^^^^^^^^^^^^^^^^^^ Log 'em all! It would help catch any errors. This one? Guess it's just been left in. > 65200 allow tcp from any to any setup > 65535 deny ip from any to any -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000520215237.E93357>