From owner-freebsd-questions Wed Mar 5 8:14:31 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9408437B401 for ; Wed, 5 Mar 2003 08:14:29 -0800 (PST) Received: from c001.snv.cp.net (h007.c001.snv.cp.net [209.228.32.121]) by mx1.FreeBSD.org (Postfix) with SMTP id C6AA443F3F for ; Wed, 5 Mar 2003 08:14:28 -0800 (PST) (envelope-from jeff@walters.name) Received: (cpmta 9928 invoked from network); 5 Mar 2003 08:14:27 -0800 Received: from 24.216.194.242 (HELO jerry.localdomain) by smtp.register-admin.com (209.228.32.121) with SMTP; 5 Mar 2003 08:14:27 -0800 X-Sent: 5 Mar 2003 16:14:27 GMT From: Jeff Walters Reply-To: jeff@walters.name To: "Brian Henning" Subject: Re: firewall revisited Date: Wed, 5 Mar 2003 11:14:25 -0500 User-Agent: KMail/1.5 References: In-Reply-To: Cc: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200303051114.25796.jeff@walters.name> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > how can i have the script /etc/ipfw.rules run instead of /etc/rc.firewall. > can i change > firewall_type="OPEN" to firewall_type="" and create the entry > firewall_script="/etc/ipfw.rules"? I have that working right now with: firewall_enable="YES" firewall_script="/etc/rc.firewall.local" ... where /etc/rc.firewall.local contains the customized ipfw commands. > what i would like to do is block all access to services on the router like > httpd, sshd, etc > the other think i would like to do is port forward ssh from another machine > and allow access of that from an external network. > does something like this make sense? > thanks, If you are using NAT then the -redirect_port option to natd will do that (ie. forward incoming port 22 connections to an internal machine), which can be set in /etc/rc.conf in the natd_flags="-redirect_port ..." variable. You have to create a corresponding ipfw rule to allow the traffic after natd rewrites the destination IP to your internal LAN machine, which it looks like you have done below, except the "from" would be "any" not "ROUTER_IP". It will be the IP of the outside machine trying to connect to port 22. I have a similar port forward set up. Early in the firewall rules allow all established TCP connections, and then later allow the setup for the initial SSH connection. 10.0.1.2 would be a machine behind the firewall to receive SSH connections, and ed0 would be the external internet interface. in /etc/rc.conf: natd_flags="-redirect_port tcp 10.0.1.2:ssh ssh" in the firewall script: ipfw -q flush ipfw add 00050 divert natd ip from any to any via ed0 ipfw add 00100 allow tcp from any to any via ed0 established ipfw add 01000 allow tcp from any to 10.0.1.2 ssh setup ipfw add 65530 deny log ip from any to any I winged this so forgive any errors, but it's based on what I have working, including a rule to deny and log everything by default at the bottom. > /etc/rc.firewall.rules > ---------------------- > #!/bin/sh > IPFW=/sbin/ipfw > ${IPFW} -f flush > ${IPFW} add 00200 divert natd all from any to any via rl1 > ${IPFW} add 00250 pass tcp from ${ROUTER_IP} to ${MACHINE1_IP} 22 > ${IPFW} add 00260 pass tcp from ${MACHINE1_IP} 22 to ${ROUTER_IP} > ${IPFW} add 00300 pass all from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message