Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 17 Jul 2002 09:03:49 +0200
From:      Bart Matthaei <bart@dreamflow.nl>
To:        Mark D <markd@cogeco.ca>
Cc:        security@freebsd.org
Subject:   Re: ipfw and it's glory...
Message-ID:  <20020717070349.GA38299@heresy.dreamflow.nl>
In-Reply-To: <000101c22d1a$a54d6e70$6401a8c0@promethium>
References:  <000101c22d1a$a54d6e70$6401a8c0@promethium>

next in thread | previous in thread | raw e-mail | index | archive | help

--Nq2Wo0NMKNjxTN9z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jul 16, 2002 at 06:46:38PM -0400, Mark D wrote:
[snip]
> 	Alright, here we go... I plan to run http, ftp, ssh, smtp, and
> pop on a lan box (I'm going to treat it as a real box - just so I can be
> ready for when I do this in the future). I'd like http, ftp, pop, and
> smtp to be open to anyone and for ssh connections to be only allowed
> when I add the rule (to allow that specific host).
>=20
> 	I've read the man pages on ipfw and some other documents but am
> still confused. Here is what I've put together so far (go easy on me);
>=20
>    allow ip from trusted-ip-addy-1 to any
>    allow ip from trusted-ip-addy-2 to any
>    allow log tcp from any to any established
>    allow log tcp from trusted-ip-addy-1 to any 22 in setup
>    allow log udp from internal-addy to any 53
>    allow log udp from any 53 to internal-addy
>    allow log tcp from any to internal-addy 80,21,110,15 setup
>    -
>    65535 deny ip from any to any

First of all. Avoid using ip adresses when adressing the "self"-box.
Use 'me' instead.=20

Second, here's a basic setup that works for your situation:

# Allow "local" traffic
ipfw add allow all from any to any via lo0

# Allow all outgoing trafic
ipfw add allow all from any to any out

# Allow IP fragments (for more info, see ipfw manpage)
ipfw add allow all from any to any frag

# Allow established tcp connections
ipfw add allow tcp from any to any established

# Allow tcp connections to the box > 1024 (In order to make
# various clients work on the box)
ipfw add pass tcp from any to me 1024-65535 setup

# Allow udp connections to the box > 1024 (same shit)
ipfw add pass udp from any to me 1024-65535

# Allow dns querys
ipfw add allow udp from any to any 53

# Allow the trusted ip's to the ssh port
ipfw add allow tcp from $trusted_ip1 to me 22
ipfw add allow tcp from $trusted_ip2 to me 22

# Allow ftp, smtp, http and pop and auth (I'm sure you want that)
ipfw add allow tcp from any to me 21,25,80,110,113 setup

# I've added auth. If you don't want auth, make sure to reset all
#traffic going to port 113, or ident lookups to your box will time-out.
#use 'reset tcp from any to me 113'

# Allow icmptypes 0 3 8 and 11
ipfw add allow icmp from any to any icmptypes 0,3,8,11

# Deny everything else
ipfw add deny all from any to any

This is a basic setup. Add more rules for specific network setups.
ipfw isn't difficult, you just need to figure the syntax and specific
options out.

Cheers,

Bart

--=20
Bart Matthaei                 bart@dreamflow.nl=20

If at first you don't succeed, redefine success.

--Nq2Wo0NMKNjxTN9z
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9NRbVQLMKY3ENEPcRAga6AKCaAvmjL5u2WP1c75ddouBmQ8+SxgCfW4Xc
TAZ3hJSVmUNUSR8wLo0riaI=
=UKxo
-----END PGP SIGNATURE-----

--Nq2Wo0NMKNjxTN9z--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020717070349.GA38299>