From owner-freebsd-questions  Sun Dec 22 15:20:10 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D29F837B401
	for <freebsd-questions@FreeBSD.ORG>; Sun, 22 Dec 2002 15:20:07 -0800 (PST)
Received: from sage.thought.org (dsl231-043-140.sea1.dsl.speakeasy.net [216.231.43.140])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B3F2043ED8
	for <freebsd-questions@FreeBSD.ORG>; Sun, 22 Dec 2002 15:20:06 -0800 (PST)
	(envelope-from kline@thought.org)
Received: from thought.org (root@tao [10.0.0.247])
	by sage.thought.org (8.11.4/8.11.4) with ESMTP id gBMNK5200421;
	Sun, 22 Dec 2002 15:20:05 -0800 (PST)
	(envelope-from kline@thought.org)
Received: (from kline@localhost)
	by thought.org (8.12.6/8.11.3) id gBMNK5ec078410;
	Sun, 22 Dec 2002 15:20:05 -0800 (PST)
	(envelope-from kline)
Date: Sun, 22 Dec 2002 15:20:05 -0800
From: Gary D Kline <kline@thought.org>
To: "Sean J. Countryman" <sean@rackoperations.com>
Cc: Gary D Kline <kline@thought.org>,
	FreeBSD Mailing List <freebsd-questions@FreeBSD.ORG>
Subject: Re: Any IPFW clues???
Message-ID: <20021222232005.GA78387@tao.thought.org>
References: <20021222230535.GA78303@tao.thought.org> <EOELLBCOGJPNEBBJEKDKOEIJEOAA.sean@rackoperations.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <EOELLBCOGJPNEBBJEKDKOEIJEOAA.sean@rackoperations.com>
X-Organization: Thought Unlimited. Public service Unix since 1986.
X-Of_Interest: Observing 16 years of service to the Unix community
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sun, Dec 22, 2002 at 04:14:31PM -0700, Sean J. Countryman wrote:
> Perhaps you could post your rules?
> 
> - Sean

	Sure::

 ipfw -f 10 flush
 ipfw add 100 check-state
 ipfw add 150 allow tcp from any to any in via dc0 keep-state
 ipfw add 200 allow udp from any to any in via dc0 keep-state
 ipfw add 300 allow icmp from any to any in recv dc0 keep-state
 ipfw add 500 reset tcp from any to any in via dc0

# Allow in SSH on port 22 [[ this block should be okay ]]
 ipfw add 1000 allow tcp from any to 10.0.0.249 22 in via dc1 keep-state
 ipfw add 1050 allow tcp from 10.0.0.249 to any 22 out via dc1 keep-state
 ipfw add 1100 allow tcp from any to 10.0.0.247 22 in via dc1 keep-state
 ipfw add 1150 allow tcp from 10.0.0.247 to any 22 in via dc1 keep-state
 ipfw add 1200 allow tcp from any to 216.231.43.140 22 in via dc0
keep-state
 ipfw add 1250 allow tcp from 216.231.43.140 to any 22 in via dc0
keep-state

# Allow FTP data connections
  ipfw add 1300 allow tcp from any to 216.231.43.140 21 7499-8501 in via
dc0

# Allow in DNS on port 53
  ipfw add 1400 allow tcp from any to 216.231.43.140 53 in via dc0
  ipfw add 1500 allow udp from any to 216.231.43.140 53 in via dc0

# Allow in private printer and printer on ports 35 AND 515
  ipfw add 1600 allow tcp from any to 216.231.43.140 35,515 in via dc0
  ipfw add 1700 allow udp from any to 216.231.43.140 35,515 in via dc0

# Allow in HTTP on port 80
  ipfw add 1800 allow tcp from any to 216.231.43.140 80 in via dc0
  ipfw add 1900 allow udp from any to 216.231.43.140 80 in via dc0

# Allow in SMTP on port 25
 ipfw add 2200 allow tcp from any to 216.231.43.140 25 in via dc0
 ipfw add 2300 allow udp from any to 216.231.43.140 25 in via dc0

# Allow in named/BIND on port 42
 ipfw add 2400 allow tcp from any to 216.231.43.140 42 in via dc0
 ipfw add 2500 allow udp from any to 216.231.43.140 42 in via dc0

# deny unreachable pings; (type = 3).
 ipfw add 2600 deny icmp from any to any in icmptypes 3


# Inside Interface
 ipfw add 2900 allow udp from any to any out xmit dc0 keep-state
 ipfw add 3200 allow tcp from any to any via dc0 keep-state
 ipfw add 3300 allow udp from any to any in recv dc0 keep-state
 ipfw add 3400 allow icmp from any to any via dc0 keep-state
 ipfw add 3500 deny ip from any to any recv dc0

# Loopback Interface
 ipfw add 3600 allow ip from 127.0.0.1 to 127.0.0.1 in recv lo0
 ipfw add 3700 allow ip from 127.0.0.1 to 127.0.0.1 out xmit lo0
 ipfw add 3800 allow from any to any



	Anything here glaringly wrong?

	gary


> 
> 

-- 
   Gary Kline     kline@thought.org   www.thought.org     Public service Unix


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message