Site Navigation

Date:      Sat, 20 May 2000 21:52:38 -0400
From:      "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To:        Michael Feld <mfeld@iname.com>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: IPFW Ruleset help
Message-ID:  <20000520215237.E93357@cc942873-a.ewndsr1.nj.home.com>
In-Reply-To: <p04310102b54cb9353341@[192.168.151.4]>; from mfeld@iname.com on Sat, May 20, 2000 at 06:00:30PM -0400
References:  <p04310102b54cb9353341@[192.168.151.4]>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Sat, May 20, 2000 at 06:00:30PM -0400, Michael Feld wrote:
> HI there all...
> 
> I'm new to this list.  I have a static IP and a  private network 
> behind a dual-homed free-bsd box, and I need a set of basic IPFW 
> rules.  The following rules don't work, and basically block off all 
> access from inside out.  Does anyone have a basic set they could post 
> or could someone tell me how to fix these?   I'm naked to the world 
> here, so any help would be appreciated.  This ruleset is clearly not 
> complete, but I was hoping I might get a little aid in setting things 
> up.  Thanks!!!
> 

A few comments...

> 00100 divert 8668 ip from any to any via ep0
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00500 allow tcp from any to <my ip address> 22 setup
> 00600 allow udp from <my ip address> to any 53

If you trust your own network, why bother restricting anything out? I
would only suggest that you filter your own to prevent spoofing,

  00600 allow ip from <outer ip> to any

And for the internal interface,

  00650 allow ip from 192.168.151.0/24 to any via <iif>
  00660 allow ip from <inner ip> to 192.168.151.0/24

> 00700 allow udp from any 53 to <my ip address>

These two covered by other rules. Remove.

> 00800 allow udp from 192.168.151.0/24 to any 53
> 00900 allow udp from any 53 to 192.168.151.0/24

I'd put this at the top. It will be hit the most.

> 02000 allow tcp from any to any established

Why add,

> 65100 deny log tcp from any to any in recv <my ip address> setup
                                     ^^^^^^^^^^^^^^^^^^^^^^^
Log 'em all! It would help catch any errors.

This one? Guess it's just been left in.

> 65200 allow tcp from any to any setup

> 65535 deny ip from any to any


-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000520215237.E93357>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact