From owner-freebsd-ipfw  Sat May 20 18:54: 1 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id BB56837B73D
	for <freebsd-ipfw@FreeBSD.ORG>; Sat, 20 May 2000 18:53:57 -0700 (PDT)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA95028;
	Sat, 20 May 2000 21:52:38 -0400 (EDT)
	(envelope-from cjc)
Date: Sat, 20 May 2000 21:52:38 -0400
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To: Michael Feld <mfeld@iname.com>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: IPFW Ruleset help
Message-ID: <20000520215237.E93357@cc942873-a.ewndsr1.nj.home.com>
Reply-To: cjclark@home.com
References: <p04310102b54cb9353341@[192.168.151.4]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <p04310102b54cb9353341@[192.168.151.4]>; from mfeld@iname.com on Sat, May 20, 2000 at 06:00:30PM -0400
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat, May 20, 2000 at 06:00:30PM -0400, Michael Feld wrote:
> HI there all...
> 
> I'm new to this list.  I have a static IP and a  private network 
> behind a dual-homed free-bsd box, and I need a set of basic IPFW 
> rules.  The following rules don't work, and basically block off all 
> access from inside out.  Does anyone have a basic set they could post 
> or could someone tell me how to fix these?   I'm naked to the world 
> here, so any help would be appreciated.  This ruleset is clearly not 
> complete, but I was hoping I might get a little aid in setting things 
> up.  Thanks!!!
> 

A few comments...

> 00100 divert 8668 ip from any to any via ep0
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00500 allow tcp from any to <my ip address> 22 setup
> 00600 allow udp from <my ip address> to any 53

If you trust your own network, why bother restricting anything out? I
would only suggest that you filter your own to prevent spoofing,

  00600 allow ip from <outer ip> to any

And for the internal interface,

  00650 allow ip from 192.168.151.0/24 to any via <iif>
  00660 allow ip from <inner ip> to 192.168.151.0/24

> 00700 allow udp from any 53 to <my ip address>

These two covered by other rules. Remove.

> 00800 allow udp from 192.168.151.0/24 to any 53
> 00900 allow udp from any 53 to 192.168.151.0/24

I'd put this at the top. It will be hit the most.

> 02000 allow tcp from any to any established

Why add,

> 65100 deny log tcp from any to any in recv <my ip address> setup
                                     ^^^^^^^^^^^^^^^^^^^^^^^
Log 'em all! It would help catch any errors.

This one? Guess it's just been left in.

> 65200 allow tcp from any to any setup

> 65535 deny ip from any to any


-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message