Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 04 Oct 2002 10:03:04 +0200
From:      Nelis Lamprecht <nelis@brabys.co.za>
To:        freebsd-questions@freebsd.org
Subject:   Re: ipfw ruleset
Message-ID:  <5.1.0.14.2.20021004095502.0460ad18@192.96.48.11>

next in thread | raw e-mail | index | archive | help
whoops, never mind people I have just realized blocking all udp except for 
on port 53 does not allow other DNS servers to do queries to my host ( even 
though I can query them ). would help if I actually bothered to read my 
logs once in awhile :O)

>Hi People,
>
>I'm trying to setup my firewall using ipfw on 4.6 Stable. I have read 
>through the man pages and also several howto's but now I need your advice. 
>I would like to setup a DNS server that will respond to queries and my 
>current ruleset does not seem to permit this. Please tell me what I am 
>doing wrong.
>
>My Ruleset: ( ip's omitted )
>
>add 00301 check-state
>add 00302 allow tcp from any to any established
>add 00303 allow tcp from any to any out setup keep-state
>add 00304 allow tcp from any to $lan 22,25,80,443 setup
>add 00400 allow udp from any to any out
>add 00401 allow udp from $lan to any 53
>add 00402 allow udp from any 53 to $lan in recv rl0
>#allow some icmp types (codes not supported)
>##allow path-mtu in both directions
>add 00600 allow icmp from any to any icmptypes 3
>##allow source quench in and out
>add 00601 allow icmp from any to any icmptypes 4
>##allow me to ping out and receive response back
>add 00602 allow icmp from any to any icmptypes 8 out
>add 00603 allow icmp from any to any icmptypes 0 in
>##allow me to run traceroute
>add 00604 allow icmp from any to any icmptypes 11 in
>#allow ident requests
>add 00700 allow tcp from any to any 113 keep-state setup
>#deny syn and fin bits used for OS finger printing using nmap
>add 00701 deny log tcp from any to any in tcpflags syn,fin
>#log anything that falls through
>add 09000 deny log ip from any to any
>
>Kind Regards,
>Nelis


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20021004095502.0460ad18>