From owner-freebsd-questions Thu May 2 8:14:42 2002 Delivered-To: freebsd-questions@freebsd.org Received: from spin.web.net (spin.web.net [192.139.37.16]) by hub.freebsd.org (Postfix) with ESMTP id 74E7837B41B for ; Thu, 2 May 2002 08:14:37 -0700 (PDT) Received: by spin.web.net (Postfix, from userid 1000) id 331CF12E81C; Thu, 2 May 2002 11:14:38 -0400 (EDT) Date: Thu, 2 May 2002 11:14:38 -0400 From: Rob Ellis To: Nelis Lamprecht Cc: freebsd-questions@freebsd.org Subject: Re: firewall - ipfw rules Message-ID: <20020502151437.GB84982@web.ca> References: <5.1.0.14.2.20020502081544.013d6778@192.96.48.11> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20020502081544.013d6778@192.96.48.11> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, May 02, 2002 at 08:30:07AM +0200, Nelis Lamprecht wrote: > Hi > > I am trying to create a custom ruleset for ipfw on a server that is > configured as a mail server and a web server. I have done all the necessary > steps to enable the firewall by compiling the kernel with relevant options > and also setting up the rc.conf to point to my ruleset. > I have also setup the rules to allow dns and certain icmp traffic for ping > and traceroute which is working fine. My box is configured with 2 nic's one > external and one internal ( 192.168.0.0 ) My problem is I can't seem to get > a rule working to except http to my webserver and this is what i have > created as a rule: > > add 00301 allow tcp from any to external-ip 80 > add 00302 allow tcp from any to external-ip 25 > add 00303 allow tcp from any to external-ip 110 > > *external-ip being the ip address of the external nic naturally ;-) > > this is either incorrect or I have forgotten something out in either the > ruleset or the rc.firewall file. > Can someone please give me an example of a ruleset for a web server and/or > mail server or explain to me what needs to be done? > Have you got rules allowing outbound traffic...? :-) You need to do something like ipfw add allow tcp from any to $myip 25 ipfw add allow tcp from $myip 25 to any or ipfw add allow tcp from any to any established ipfw add allow tcp from any to $myip 25 setup or ipfw add allow tcp from any to $myip 25 setup keep-state - rob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message