Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Sep 2001 05:15:55 -0500
From:      Mike Meyer <mwm@mired.org>
To:        "Big B" <tiffany@crshjnke.com>
Cc:        questions@freebsd.org
Subject:   Re: easy firewall option for 1 NIC machine?
Message-ID:  <15253.64347.65627.742104@guru.mired.org>
In-Reply-To: <28477796@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help 
Big B <tiffany@crshjnke.com> types:
> I have been reading and reading and reading...
> but all of the tute and examples show people using
> FBSD as gateway/firewall/natd...
> I am looking to kill off certain ports and ICMP attacks
> on a machine with one network card.
> I need to keep open ssh ftp www and several high ports for
> CS server without extreme cpu usage..
>  
> Can anyone point me in the right direction..
>  
> IPFW seems the correct way to go but the man pages do not help.

There's something very close to the configuration you want already
installed on the system. Add lines to /etc/rc.conf that say:

	firewall_enable="YES"
	firewall_type="client"

This will run /etc/rc.firewall at boot, telling it you want to protect
a single machine. You'll have to customize /etc/rc.firewall, but it's
got comments in it that should guide you. You'll need to change the
net, mask and ip variables, then delete the ${fwcmd} line that allows
incoming maiol, and add similar lines to allow ssh, www and ftp. Note
that ftp can be problematical. For maximum security, require that they
use active ftp, and that will do. If you want to allow passive ftp,
you've got to open the data ports, and those depend on your server.

To test it, you can just run /etc/rc.firewall as a shell script. Do it
at the console, because if things screw up, you may not have network
access to the machine.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15253.64347.65627.742104>