Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 31 Jan 2002 12:04:07 -0600
From:      "Mario Doria" <mariodoria@yahoo.com>
To:        <questions@freebsd.org>
Subject:   Migrate from IPF to IPFW
Message-ID:  <005e01c1aa81$b61531f0$0a00a8c0@Deathstar>
next in thread | raw e-mail | index | archive | help 
Hello,

I'm planning to migrate a machine from IPF to IPFW, but before I make any
changes (the machine is in production), I want to test the IPFW ruleset.
Please, can someone provide me examples of an IPFW stateful ruleset?. Here's
what I have so far:

#!/bin/sh
#
fwcmd="/sbin/ipfw -q"

## Begin the ruleset
${fwcmd} -f flush

## Protect local interface
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any

## Some local protection
${fwcmd} add deny log tcp from any to any tcpflags fin,urg,psh in
${fwcmd} add deny log tcp from any to any tcpflags syn,fin in

## Check state first
${fwcmd} add check-state

## Deny ACK packets that did not match the dynamic ruleset
${fwcmd} add deny tcp from any to any established in

## Outgoing packets
${fwcmd} add allow tcp from any to any out keep-state
${fwcmd} add allow udp from any to any out keep-state
${fwcmd} add allow icmp from any to any out keep-state

## Offered Services

# Samba
${fwcmd} add pass tcp from 192.168.0.0/24 to any port 137-139 in setup
keep-state
${fwcmd} add pass udp from 192.168.0.0/24 to any port 137-139 in keep-state

# WWW
${fwcmd} add pass tcp from any to any 80,443 in setup keep-state

# SSH
${fwcmd} add pass tcp from any to any 22 in setup keep-state

# Mail
${fwcmd} add pass tcp from any to any 25,995 in setup keep-state
${fwcmd} add reset tcp from any to any port 113 in setup

# FTP
${fwcmd} add pass tcp from any to any 20-21 in setup keep-state
${fwcmd} add pass tcp from any to any 49152-53000 in setup keep-state

# DNS
${fwcmd} add pass udp from any to any port 53 in keep-state
${fwcmd} add pass tcp from any to any port 53 in setup keep-state

#Big-Brother
${fwcmd} add pass tcp from 192.168.0.10/32 to any port 1984 in setup
keep-state

## ICMP
${fwcmd} add pass icmp from any to any icmptypes 0,3,8,11 in keep-state

## Disallow all other type of connections
${fwcmd} add deny log all from any to any in

-------

Thanks a lot!


Mario Doria



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005e01c1aa81$b61531f0$0a00a8c0>