Date: Fri, 17 May 2002 00:10:55 +0200 From: Paul Everlund <tdv94ped@cs.umu.se> To: Patrick Thomas <root@utility.clubscholarship.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: quick ipfw ruleset advice needed... Message-ID: <3CE42E6F.A4436739@cs.umu.se> References: <20020516144842.B79837-100000@utility.clubscholarship.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Patrick Thomas wrote: > > I have a single machine behind my firewall. On that machine I would like > to do this: > > 1. allow incoming sshd connections > 2. allow incoming identd requests > 3. block ALL other requests coming into my server > 4. be able to use any client programs from my server going outwards > (bitchx, ftp, ssh, lynx, mud client, etc) > > so I came up with this: > > 00100 allow tcp from any to [my IP] 22 # incoming sshd > 00101 allow tcp from any to [my IP] 113 # incoming identd > 00102 allow udp from any to [my IP] 113 # incoming identd > 00103 deny all from any to [my IP] > > This sort of works. I can ssh _to_ my machine and log in, and i can get > identd to respond, but: > > - I cannot ssh from that machine to other places > - I cannot use things like lynx and bitchx It seems you only allow packets into your computer, but not out. Try to use something like: - Allow you to setup connections. allow tcp from [your IP] to any out via ed0 setup - Allow established connections back in. allow tcp from any to [your IP] in via ed0 established (Exchange ed0 to your own network device.) Put those lines before the deny all line. How do you by the way manage DNS lookups with that ruleset of yours, or it was only an example? Also you should take a closer look at stateful rules! They seem to be quite neat. Good luck! Best regards, Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CE42E6F.A4436739>